W32/Agobot-PE

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Agobot-PE is a network worm with IRC backdoor functionality.

In order to run automatically when Windows starts up the worm copies itself to the Windows system folder

Once installed, W32/Agobot-PE connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:

• start a UDP, TCP, ICMP, syn, http or ping flood
• start a socks4, socks5, http or https proxy server
• redirect TCP or GRE connections
• start an FTP server
• start a command shell server
• show statistics about the infected system
• reboot/shutdown the infected machine
• kill anti-virus and security processes
• list/terminate running processes
• scan randomly- or sequentially-chosen IPs for infectable machines
• make local drives network-shareable
• close down vulnerable services in order to secure the machine
• search for product keys
• search local drives for AOL user details
• sniff network traffic in order to find passwords
• start a keylogger
• download and install an updated version of itself
• install bot plugins for additional functionality

The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.

Vulnerabilities:

Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
WorKStation service (MS03-049)
LSASS (MS04-011)
DameWare (CAN-2003-1030)

Services:

NetBios
MS SQL

Backdoors:

W32/Bagle
W32/MyDoom
Troj/Optix
W32/Sasser

W32/Agobot-PE creates or modifies the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Gekio Startups
gnksvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Gekio Startups
gnksvc32.exe

W32/Agobot-PE adds 127.0.0.1 (loopback) entries to the Windows HOSTS file
in order to prevent access to the following websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-PE terminates various anti-virus and security related processes.