W32/Agobot-OW

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Check your administrator passwords and review network security.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wmon
jusched.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wmon
jusched.exe

and delete them if they exist.

Close the registry editor.

W32/Agobot-OW is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.

The worm spreads to network shares with weak passwords and also to unpatched computers using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).

When run W32/Agobot-OW moves itself to the Windows system folder as jusched.exe and creates the following registry entries to run itself on computer logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wmon
jusched.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wmon
jusched.exe

In Windows NT-based operating systems, W32/Agobot-OW creates its own service named "wsaconfig" with the display name "wmon" and creates the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSACONFIG

HKLM\SYSTEM\CurrentControlSet\Services\wsaconfig

The worm then tries to connect to a remote IRC server while running continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

Once installed, W32/Agobot-OW will attempt to participate in distributed denial-of-service (DDoS) attacks, steal CD keys, harvest email addresses, log keystrokes, setup a SOCKS4 server and a HTTP proxy server when instructed to do so by a remote attacker.

W32/Agobot-OW attempts to terminate and disable various anti-virus and security related programs. The worm also modifies the HOSTS file by appending the following mappings:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Agobot-OW (detected as W32/Agobot-Fam) since version 3.88.