high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 24 March 2005 06:06:34 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
Change any data that may have become compromised.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Agobot-RC is a worm with backdoor functionality which spreads to computers protected by weak passwords and by using the LSASS security exploit (MS04-011).
W32/Agobot-RC then tries to connect to a remote IRC server while running continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
The worm also modifies the HOSTS file.
Once installed, W32/Agobot-RC attempts to steal CD game keys, log keystrokes when instructed to do so by a remote intruder. W32/Agobot-RC is a worm with backdoor functionality which spreads to computers protected by weak passwords and by using the LSASS security exploit (MS04-011).
When first run, W32/Agobot-RC moves itself to the Windows system folder as smrs.exe and creates the following registry entries to run itself on computer restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vsadmin
smrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
vsadmin
smrs.exe
W32/Agobot-RC then tries to connect to a remote IRC server while running continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
The worm modifies the HOSTS file by appending the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Once installed, W32/Agobot-RC attempts to perform the following actions when instructed to do so by a remote intruder:
steal CD game keys
log keystrokes
setup a SOCKS4 server
steal email addresses and send them to a remote website via HTTP
steal MSN Messenger and computer information
perform denial of service (DoS) attacks using a variety of HTTP, Ping, TCP, UDP commands
download and run files from the internet
login to MS SQL servers and send EXEC commands to open a command shell
terminate and disable various anti-virus and security related programs
|
