high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 6 April 2005 20:41:19 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Agobot-RH is a member of the W32/Agobot family of network worms. The worm can spread via NetBios, to weakly protected network shares, to weakly protected Microsoft SQL servers, and to computers vulnerable to the RPC-DCOM exploit (see Microsoft Security Bulletin MS04-012).
In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as ATAPl.EXE and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ATAPl
ATAPl.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
ATAPl
ATAPl.EXE
Once installed, W32/Agobot-RH connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:
Harvest e-mail addresses
Retrieve information from the registry
Search for product keys
Scan for remote computers to spread to
Upload, download, open, delete and execute files
Log any keystrokes made on an infected computer
Terminate specified security programs
Add services to and delete services from the Service Control Manager
Stop and start services running on the computer
List and terminate any processes running on the computer
Participate in distributed denial-of-service (DDoS) attacks
Deny access to certain computer security websites by modifying the HOSTS file
When the HOSTS file (located in '<Windows system folder>\drivers\etc\') is modified, entries are created that redirect attempted access to those sites to the IP address 127.0.0.1. The worm adds entries for the following websites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
The worm can also be commanded to secure an infected computer from further infection, or open it up for further infection. Securing an infected computer involves deleting any network shares and disabling DCOM by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
N
To allow further infection on an infected computer C$, D$, E$, ADMIN$ and IPC$ network shares are added, and DCOM is enabled by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
Y
|
