W32/Agobot-PF

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Reg Service
WinnConfig.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Reg Service
WinnConfig.exe

and delete them if they exist.

Close the registry editor.

W32/Agobot-PF is a network worm with a backdoor component.

W32/Agobot-PF is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

W32/Agobot-PF can also spread by exploiting the following vulnerabilities:

DCOM (MS04-012)
LSASS (MS04-011)
WebDav (MS03-007)
UPNP (MS01-059)
WorkStation service (MS03-049)
NetBios
Buffer overflow in certain versions of DameWare (CAN-2003-1030)
Microsoft SQL servers with weak passwords.
Backdoors left open by other worms and Trojans such as W32/MyDoom, W32/Bagle and W32/Sasser.

When first run, W32/Agobot-PF copies itself to the Windows system folder as WINNCONFIG.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs on, W32/Agobot-PF will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Reg Service
WinnConfig.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Reg Service
WinnConfig.exe

The worm runs continuously in the background providing backdoor access to the infected computer.

W32/Agobot-PF will append the HOSTS file in the <Windows system folder>\drivers\etc folder. The file contains a list of websites each bound to the IP loopback address. This prevents access to a list of anti-virus and security related websites. For example,

127.0.0.1 sophos.com
127.0.0.1 www.sophos.com

W32/Agobot-PF is capable of testing the available bandwidth by attempting to GET or POST data to the following websites:

de.yahoo.com
nitro.ucsc.edu
verio.fr
www.1und1.de
www.above.net
www.belwue.de
www.burst.net
www.cogentco.com
www.d1asia.com
www.level3.com
www.lib.nthu.edu.tw
www.nifty.com
www.nocster.com
www.rit.edu
www.schlund.net
www.st.lib.keio.ac.jp
www.stanford.edu
www.switch.ch
www.utwente.nl
www.verio.com
www.xo.net
yahoo.co.jp

The backdoor component of W32/Agobot-PF may be used to:

Initiate Distributed Denial of Service (DDoS) attacks.
Redirect GRE, TCP, HTTP, HTTPS, SOCKS4 and SOCKS5 traffic.
Download, upload, delete and execute files.
Set up an FTP file server.
Steal passwords (including PayPal account information).
List and kill processes.
Stop, start, pause and delete services.
Modify the registry.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Flush the DNS cache.
Log keyboard presses.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.
Steal email addresses from the computer.
Send emails as specified by the remote user.

W32/Agobot-PF may alter the following registry entry in order to enable/disable DCOM:

HKLM\Software\Microsoft\Ole\EnableDCOM

W32/Agobot-PF is capable of adding and deleting the C$, D$, IPC$ and ADMIN$ network shares.

W32/Agobot-PF may steal the Windows Product ID and keys from several computer applications or games including:

AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldiers Of Anarchy
Soldier Of Fortune 2 - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004

W32/Agobot-PF can be instructed to harvest email addresses from the infected computer by searching the Windows Address Book, used by Microsoft Outlook and Outlook Express. The worm can also harvest email addresses from Microsoft Messenger.

W32/Agobot-PF will attempt to terminate a number of anti-virus and security related processes in addition to other viruses, worms and Trojans.

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Agobot-PF (detected as W32/Agobot-Fam and W32/Agobot-Gen) since version 3.89.