Sophos

W32/Agobot-QI

Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 25 February 2005 12:55:15 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Agobot-QI is a member of the W32/Agobot family of network worms. The worm can spread the computers vulnerable to the WEBDAV, LSASS, WKS, and UPNP exploits (see Microsoft Security Bulletins MS03-007 and MS04-011, MS03-049, and MS01-059 respectively). The worm can also spread to machines that are infected with W32/MyDoom, W32/Bagle, Troj/Optix and W32/Sasser, as well as to weakly protected network shares.

In order to run automatically when Windows starts up the worm copies itself to the folder as ddesvr.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DDEsvr
ddesvr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
DDEsvr
ddesvr.exe

Once installed, W32/Agobot-QI connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

Open, upload, download, search for, and execute files
Log any keystrokes made on an infected computer
Examine local network traffic
Scan remote computers for vulnerablilites
Steal product keys
Participate in a distributed denial-of-service (DDoS) attack
Create and delete services in the Service Control Manager
Create and delete autostart entries
List, start, and stop processes and services
Attempt to disable any security software that is running

The worm may also modify the HOSTS file (located in '<System>\drivers\etc\'), hereby entries are created for the major anti-virus software websites that redirect attempted access to those sites to the IP address 127.0.0.1.

The worm can also be commanded to secure an infected computer from further infection, or open it up for further infection. Securing an infected computer involves deleting any network shares and disabling DCOM by setting the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM
N

To allow further infection on an infected computer C$, D$, E$, ADMIN$ and IPC$ network shares are added, and DCOM is enabled by setting the following registry entry:

HKLM\Software\Microsoft\OLE
EnableDCOM
Y

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer