Antivirus and Security Software from Sophos

Sophos blogs

W32/Agobot-TH

Aliases
  • Backdoor.Win32.Agobot.xt
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 12 September 2005 07:56:43 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Agobot-TH is a worm and IRC backdoor Trojan for the Windows platform.

W32/Agobot-TH spreads:

- to other network computers infected with: W32/Sasser and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), WebDav (MS03-007), UPNP (MS01-059) and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords

W32/Agobot-TH runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Agobot-TH includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- modify the HOSTS file

When first run W32/Agobot-TH copies itself to <System>\duck.exe.

The following registry entries are created to run duck.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
duck
duck.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
duck
duck.exe

W32/Agobot-TH modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites. The new HOSTS file will typically contain the following:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

The following patches for the operating system vulnerabilities exploited by W32/Agobot-TH can be obtained from the Microsoft website:

MS04-011
MS04-012
MS03-049
MS03-007
MS01-059

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer