Sophos

W32/Agobot-ML

Aliases
  • Backdoor.Agobot.gen
  • W32/Gaobot.worm.gen.d
  • Win32/Agobot.3.AEN
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email attachments
  • Network shares
Affected operating systems Windows
Included in our products from October 2004 (3.86)
Protection available since 31 August 2004 13:56:09 (GMT)
Detected by All Sophos products

Action

More Information

W32/Agobot-ML is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.

This worm will move itself into the Windows system folder as NSE.EXE and may create the following registry entries so that it can execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
nse = nse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
nse = nse.exe

W32/Agobot-ML may also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.

W32/Agobot-ML may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans.
For example:

_AVPM, _AVPCC, _AVP32, ZONEALARM, ZONALM2601, ZATUTOR, ZAPSETUP3001, ZAPRO, XPF202EN, WYVERNWORKSFIREWALL, WUPDT, WUPDATER, WSBGATE, WRCTRL, WRADMIN, WNT, WNAD, WKUFIND, WINUPDATE, WINTSK32, WINSTART001, WINSTART, WINSSK32, WINSERVN, WINRECON, WINPPR32, WINNET, WINMAIN, WINLOGIN, WININITX, WININIT, WININETD, WINDOWS, WINDOW, WINACTIVE, WIN32US, WIN32, WIN-BUGSFIX, WIMMUN32, WHOSWATCHINGME, WGFE95, WFINDV32, WEBTRAP, WEBSCANX, WEBDAV, WATCHDOG, W9X, W32DSM89, VSWINPERSE, VSWINNTSE, VSWIN9XE, VSSTAT, VSMON, VSMAIN, VSISETUP, VSHWIN32, VSECOMR, VSCHED, VSCENU6.02D30, VSCAN40, VPTRAY, VPFW30S, VPC42, VPC32, VNPC3000, VNLAN300, VIRUSMDPERSONALFIREWALL, VIR-HELP, VFSETUP, VETTRAY, VET95, VET32, VCSETUP, VBWINNTW, VBWIN9X, VBUST, VBCONS, VBCMSERV, UTPOST,
UPGRAD, UPDAT, UNDOBOOT, TVTMD, TVMD, TSADBOT, TROJANTRAP3, TRJSETUP, TRJSCAN, TRICKLER, TRACERT, TITANINXP, TITANIN, TGBOB, TFAK5, TFAK, TEEKIDS, TDS2-NT, TDS2-98, TDS-3, TCM, TCA, TC, TBSCAN, TAUMON, TASKMON, TASKMO, TASKMG, SYSUPD, SYSTEM32, SYSTEM, SYSEDIT, SYMTRAY, SYMPROXYSVC, SWEEPNET.SWEEPSRV.SYS.SWNETSUP, SWEEP95, SVSHOST, SVCHOSTS, SVCHOSTC, SVC, SUPPORTER5, SUPPORT, SUPFTRL, STCLOADER, START, ST2, SSGRATE, SS3EDIT, SRNG, SREXE, SPYXX, SPOOLSV32, SPOOLCV, SPOLER, SPHINX, SPF, SPERM, SOFI, SOAP, SMSS32, SMS, SMC, SHOWBEHIND, SHN, UPDATE, SHELLSPYINSTALL, SH, SGSSFW32, SFC, SETUP_FLOWPROTECTOR_US, SETUPVAMEEVAL, SERVLCES, SERVLCE, SERVICE, SERV95, SD,
SCVHOST, SCRSVR, SCRSCAN, SCANPM, SCAN95, SCAN32, SCAM32, SC, SBSERV, SAVENOW, SAVE, SAHAGENT, SAFEWEB, RUXDLL32, RUNDLL16, RUNDLL, RUN32DLL, RULAUNCH, RTVSCN95, RTVSCAN, RSHELL, RRGUARD, RESCUE32, RESCUE, REGEDT32, REGEDIT, REGED, REALMON, RCSYNC, RB32, RAY, RAV8WIN32ENG, RAV7WIN, RAV7, RAPAPP, QSERVER, QCONSOLE, PVIEW95, PUSSY, PURGE, PSPF, PROTECTX, PROPORT, PROGRAMAUDITOR, PROCEXPLORERV1.0, PROCESSMONITOR, PROCDUMP, PRMVR, PRMT, PRIZESURFER, PPVSTOP, PPTBC, PPINUPDT, POWERSCAN, PORTMONITOR, PORTDETECTIVE, POPSCAN, POPROXY, POP3TRAP, PLATIN, PINGSCAN, PGMONITR, PFWADMIN, PF2, PERSWF, PERSFW, PERISCOPE, PENIS, PDSETUP, PCSCAN, PCFWALLICON, PCDSETUP, PCCWIN98, PCCWIN97, PCCNTMON,
PCCIOMON, PAVW, PAVSCHED, PAVPROXY, PAVCL, PATCH, PANIXK, PADMIN, OUTPOSTPROINSTALL, OUTPOSTINSTALL, OTFIX, OSTRONET, OPTIMIZE, ONSRVR, OLLYDBG, NWTOOL16, NWSERVICE, NWINST4, NVSVC32, NVC95, NVARCH16, NUI, NTXconfig, NTVDM, NTRTSCAN, NT, NSUPDATE, NSTASK32, NSSYS32, NSCHED32, NPSSVC, NPSCHECK, NPROTECT, PFMESSENGER, NPF40_TW_98_NT_ME_2K, NOTSTART, NORTON_INTERNET_SECU_3.0_407, NORMIST, NOD32, NMAIN, NISUM, NISSERV, NETUTILS, NETSTAT, NETSPYHUNTER-1.2, NETSCANPRO, NETMON, NETINFO, NETD32, NETARMOR, NEOWATCHLOG, NEOMONITOR, NDD32, NCINST4, NAVWNT, NAVW32, NAVSTUB, NAVNT, NAVLU32, NAVENGNAVEX15.NAVLU32, NAVDX, NAVAPW32, NAVAPSVC, NAVAP.NAVAPSVC,
AUTO-PROTECT.NAV80TRY, NAV, OUTPOST, NUPGRADE, N32SCANW, MWATCH, MU0311AD, MSVXD, MSSYS, MSSMMC32, MSMSGRI32, MSMGT, MSLAUGH, MSINFO32, MSIEXEC16, MSDOS, MSDM, MSCONFIG, MSCMAN, MSCCN32, MSCACHE, MSBLAST, MSBB, MSAPP, MRFLUX, MPFTRAY, MPFSERVICE, MPFAGENT, MOSTAT, MOOLIVE, MONITOR, MMOD, MINILOG, MGUI, MGHTML, MGAVRTE, MGAVRTCL, MFWENG3.02D30, MFW2EN, MFIN32, MD, MCVSSHLD, MCVSRTE, MCTOOL, MCSHIELD, MCMNHDLR, MCAGENT, MAPISVC32, LUSPT, LUINIT, LUCOMSERVER, LUAU, LSETUP, LORDPE, LOOKOUT, LOCKDOWN2000, LOCKDOWN, LOCALNET,
LOADER, LNETINFO, LDSCAN, LDPROMENU, LDPRO, LDNETMON, LAUNCHER, KILLPROCESSSETUP161, KERNEL32, KERIO-WRP-421-EN-WIN, KERIO-WRL-421-EN-WIN, KERIO-PF-213-EN-WIN, KEENVALUE, KAZZA, KAVPF, KAVPERS40ENG, KAVLITE40ENG, JEDI, JDBGMRG, JAMMER, ISTSVC, MCUPDATE, LUALL, ISRV95, ISASS, IRIS, IPARMOR, IOMON98, INTREN, INTDEL, INIT, INFWIN, INFUS, INETLNFO, IFW2000, IFACE, IEXPLORER, IEDRIVER, IEDLL, IDLE, ICSUPPNT, ICMON, ICLOADNT, ICLOAD95, IBMAVSP, IBMASN, IAMSTATS, IAMSERV, IAMAPP, HXIUL, HXDL, HWPE, HTPATCH, HTLOG, HOTPATCH, HOTACTIO, HBSRV, HBINST, HACKTRACERSETUP, GUARDDOG, GUARD, GMT, GENERICS,
GBPOLL, GBMENU, GATOR, FSMB32, FSMA32, FSM32, FSGK32, FSAV95, FSAV530WTBYB, FSAV530STBYB, FSAV32, FSAV, FSAA, FRW, FPROT, FP-WIN_TRIAL, FP-WIN, FNRB32, FLOWPROTECTOR, FIREWALL, FINDVIRU, FIH32, FCH32, FAST, FAMEH32, F-STOPW, F-PROT95, F-PROT, F-AGNT95, EXPLORE, EXPERT, EXE.AVXW, EXANTIVIRUS-CNET, EVPN, ETRUSTCIPE, ETHEREAL, ESPWATCH, ESCANV95, ICSUPP95, ESCANHNT, ESCANH95, ESAFE, ENT, EMSW, EFPEADM, ECENGINE, DVP95_0, DVP95, DSSAGENT, DRWEBUPW, DRWEB32, DRWATSON, DPPS2, DPFSETUP, DPF, DOORS, DLLREG, DLLCACHE, DIVX, DEPUTY, DEFWATCH, DEFSCANGUI, DEFALERT, DCOMX, DATEMANAGER, Claw95, CWNTDWMO, CWNB181, CV, CTRL, CPFNT206, CPF9X206, CPD, CONNECTIONMONITOR, CMON016, CMGRDIAN, CMESYS, CMD32, CLICK, CLEANPC, CLEANER3, CLEANER, CLEAN, CFINET32, CFINET, CFIADMIN, CFGWIZ, CFD, CDP, CCPXYSVC, CCEVTMGR, CCAPP, BVT, BUNDLE, BS120, BRASIL, BPC, BORG2, BOOTWARN, BOOTCONF, BLSS, BLACKICE, BLACKD, BISP, BIPCPEVALSETUP, BIPCP, BIDSERVER, BIDEF, BELT, BEAGLE, BD_PROFESSIONAL, BARGAINS, BACKWEB, CLAW95CF, CFIAUDIT, AVXMONITORNT, AVXMONITOR9X, AVWUPSRV, AVWUPD, AVWINNT, AVWIN95, AVSYNMGR, AVSCHED32, AVPTC32, AVPM, AVPDOS32, AVPCC, AVP32, AVP, AVNT, AVLTMAIN, AVKWCTl9, AVKSERVICE, AVKSERV, AVKPOP, AVGW, AVGUARD, AVGSERV9, AVGSERV, AVGNT, AVGCTRL, AVGCC32, AVE32, AVCONSOL, AU, ATWATCH, ATRO55EN, ATGUARD, ATCON, ARR, APVXDWIN, APLICA32, APIMONITOR, ANTS, ANTIVIRUS, ANTI-TROJAN, AMON9X, ALOGSERV, ALEVIR, ALERTSVC, AGENTW, AGENTSVR, ADVXDWIN, ADAWARE, AVXQUAR, ACKWIN32, AVWUPD32, AVPUPD, AUTOUPDATE, AUTOTRACE, AUTODOWN, AUPDATE or ATUPDATER.

W32/Agobot-ML may also be used to terminate the following services on remote
computers:

Themes
srservice
wuauserv
WZCSVC
winmgmt
WebClient
W32Time
upnphost
uploadmgr
TrkWks
TermService
TapiSrv
stisvc
SSDPSRV
Spooler
ShellHWDetection
SENS
seclogon
Schedule
SamSs
RpcSs
RasMan
ProtectedStorage
PolicyAgent
PlugPlay
Nla
Netman
Messenger
MDM
LmHosts
lanmanworkstation
lanmanserver
helpsvc
FastUserSwitchingCompatibility
EventSystem
Eventlog
ERSvc
Dnscache
dmserver
Dhcp
CryptSvc
Browser
AudioSrv
Ati HotKey Poller

W32/Agobot-ML may search for shared folders on the internet with weak passwords and copy itself into them.

A text file named HOSTS in C:\\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.
For example:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-ML can sniff HTTP, ICMP, FTP and IRC network traffic and steal data from them.

The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys:

Remote Procedure Call (RPC) vulnerability.
Distributed Component Object Model (DCOM) vulnerability.
RPC Locator vulnerability.
IIS5/WEBDAV Buffer Overflow vulnerability.

For more information about these Windows vulnerabilities, please refer to the following Microsoft Security Bulletins:

Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-039

W32/Agobot-ML can evade detection and share / delete the admin$, ipc$ etc drives and can also test the available bandwidth by attempting to GET or POST data to the following websites:

yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net

W32/Agobot-ML can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems.

This worm can steal the Windows Product ID and keys from several computer applications or games including:

AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
Industry Giant 2
IGI2: Covert Strike
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Ravenshield
Shogun Total War - Warlord Edition
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows Messenger

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer