high
Summary
Summary
Action- More Information
| Included in our products from | June 2004 (3.82) |
|---|---|
| Protection available since | 30 April 2004 09:37:46 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing W32/Agobot-LG.
More Information
W32/Agobot-LG is an IRC backdoor Trojan and peer-to-peer (P2P) worm which
opens TCP ports to listen for and process commands received from a remote
intruder.
This worm will move itself into the Windows System32 folder under the filename
javaw.exe and may create the following registry entries so that it can execute
automatically on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
command = javaw.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
command = javaw.exe
This worm will also attempt to glean email addresses from the Windows Address
Book and send itself to these email addresses using its own SMTP engine with
itself included as an executable attachment.
W32/Agobot-LG will attempt to terminate anti-virus and software firewall
processes, in addition to other viruses, worms or Trojans.
This worm will search for shared folders on the internet with weak passwords
and copy itself into them. A text file named HOSTS may also be dropped into
C:\<Windows System32>\drivers\etc which may contain a list of anti-virus and
other security related websites each bound to the IP loopback address of
127.0.0.1 which would effectively prevent access to these sites.
W32/Agobot-LG can sniff HTTP, ICMP, FTP and IRC network traffic and steal
data from them. This worm can also exploit the DCOM vulnerability on unpatched
systems and manipulate registry keys. It can also test the available bandwidth
by attempting to GET or POST data to the following websites:
yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net
W32/Agobot-LG can also be used to initiate denial-of-service (DoS) and
distributed denial-of-service (DDoS) synflood / httpflood / udpflood
/ icmpflood attacks against remote systems.
This worm can steal the Windows Product ID and keys from several computer
applications or games.
W32/Agobot-LG will also delete all files off the computer which have "sound"
in the filename.
|
