high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 18 April 2005 07:17:31 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Agobot-RL is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011), the RPC-DCOM security exploit (MS03-039) and the WebDav security exploit (MS03-007).
When first run, W32/Agobot-RL moves itself to the Windows System folder as a read-only, hidden, system file msnupdateit.exe and creates the following registry entries to run itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Updater
msnupdateit.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows Updater
msnupdateit.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Updater
msnupdateit.exe
The worm prevents access to anti-virus and security related websites by appending the following mappings to the %SYSTEM%\DRIVERS\ETC\HOSTS file:
127.0.0.1 www.grisoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
127.0.0.1 www.symantec.com
Once installed, W32/Agobot-RL attempts to perform the following actions when instructed to do so by a remote intruder:
send files via FTP
steals computer system information
setup a HTTP proxy server
perform denial of service (DoS) attacks
download and run files from the internet
login to MS SQL servers and send EXEC commands to open a command shell
terminate and disable various anti-virus and security related programs
|
