W32/Agobot-NK

Aliases	Backdoor.Win32.Agobot.gen W32/Gaobot.worm.gen.f
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Included in our products from	December 2004 (3.88)
Protection available since	18 October 2004 09:33:41 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Agobot-NK is a network worm with a backdoor Trojan component.

W32/Agobot-NK is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

W32/Agobot-NK may also spread by exploiting the following vulnerabilities:

DCOM (MS04-012)
Microsoft SQL servers with weak passwords.
Backdoors left open by other worms and Trojans.

W32/Agobot-NK may search through an infected computer and delete all files with the word "SOUND" in their path.

When first run, W32/Agobot-NK copies itself to the Windows system folder as EI10.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time Windows is started, W32/Agobot-NK will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ei10.exe = ei10.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
ei10.exe = ei10.exe

The worm runs continuously in the background providing backdoor access to the computer.

W32/Agobot-NK may append the HOSTS file in the <SYSTEM>\drivers\etc folder. The file contains a list of websites each bound to the IP loopback address. This prevents access to a list of anti-virus and security related websites:

127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

W32/Agobot-NK may test the available bandwidth by attempting to GET or POST data to the following websites:

www.ryan1918.net
www.ryan1918.org
www.ryan1918.com
yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net

The backdoor component of W32/Agobot-NK may be used to:

Initiate denial-of-service (DOS) attacks.
Redirect GRE, TCP, HTTP, HTTPS, SOCKS4 and SOCKS5 traffic.
Download, upload, delete and execute files.
Set up an FTP file server.
Steal passwords (including PayPal account information).
List and kill processes.
Stop, start, pause and delete services.
Modify the registry.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Flush the DNS cache.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.

W32/Agobot-NK may alter the following registry entry in order to enable/disable DCOM:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM

W32/Agobot-NK is capable of adding and deleting the C$, D$, IPC$ and ADMIN$ network shares.

W32/Agobot-NK may steal the Windows Product ID and keys from several computer applications or games including:

AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldiers Of Anarchy
Soldier Of Fortune 2
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows product ID

W32/Agobot-NK can be instructed to harvest email addresses from the infected computer by searching the Windows Address Book, used by Microsoft Outlook and Outlook Express. The worm can also harvest email addresses from Microsoft Messenger.

W32/Agobot-NK will attempt to terminate a number of anti-virus and security related processes, in addition to other viruses, worms and Trojans. The list of processes includes:

F-AGOBOT.EXE, HIJACKTHIS.EXE, _AVPM.EXE, _AVPCC.EXE, _AVP32.EXE, ZONEALARM.EXE, ZONALM2601.EXE, ZATUTOR.EXE, ZAPSETUP3001.EXE, ZAPRO.EXE, XPF202EN.EXE, WYVERNWORKSFIREWALL.EXE, WUPDT.EXE, WUPDATER.EXE, WSBGATE.EXE, WRCTRL.EXE, WRADMIN.EXE, WNT.EXE, WNAD.EXE, WKUFIND.EXE, WINUPDATE.EXE, WINTSK32.EXE, WINSTART001.EXE, WINSTART.EXE, WINSSK32.EXE, WINSERVN.EXE, WINRECON.EXE, WINPPR32.EXE, WINNET.EXE, WINMAIN.EXE, WINLOGIN.EXE, WININITX.EXE, WININIT.EXE, WININETD.EXE, WINDOWS.EXE, WINDOW.EXE, WINACTIVE.EXE, WIN32US.EXE, WIN32.EXE, WIN-BUGSFIX.EXE, WIMMUN32.EXE, WHOSWATCHINGME.EXE, WGFE95.EXE, WFINDV32.EXE, WEBTRAP.EXE, WEBSCANX.EXE, WEBDAV.EXE, WATCHDOG.EXE, W9X.EXE, W32DSM89.EXE, VSWINPERSE.EXE, VSWINNTSE.EXE, VSWIN9XE.EXE, VSSTAT.EXE, VSMON.EXE, VSMAIN.EXE, VSISETUP.EXE, VSHWIN32.EXE, VSECOMR.EXE, VSCHED.EXE, VSCENU6.02D30.EXE, VSCAN40.EXE, VPTRAY.EXE, VPFW30S.EXE, VPC42.EXE, VPC32.EXE, VNPC3000.EXE, VNLAN300.EXE, VIRUSMDPERSONALFIREWALL.EXE, VIR-HELP.EXE, VFSETUP.EXE,
VETTRAY.EXE, VET95.EXE, VET32.EXE, VCSETUP.EXE, VBWINNTW.EXE, VBWIN9X.EXE, VBUST.EXE, VBCONS.EXE, VBCMSERV.EXE, UTPOST.EXE, UPGRAD.EXE, UPDAT.EXE, UNDOBOOT.EXE, TVTMD.EXE, TVMD.EXE, TSADBOT.EXE, TROJANTRAP3.EXE, TRJSETUP.EXE, TRJSCAN.EXE, TRICKLER.EXE, TRACERT.EXE, TITANINXP.EXE, TITANIN.EXE, TGBOB.EXE, TFAK5.EXE, TFAK.EXE, TEEKIDS.EXE, TDS2-NT.EXE, TDS2-98.EXE, TDS-3.EXE, TCM.EXE, TCA.EXE, TC.EXE, TBSCAN.EXE, TAUMON.EXE, TASKMON.EXE, TASKMO.EXE, TASKMG.EXE, SYSUPD.EXE, SYSTEM32.EXE, SYSTEM.EXE, SYSEDIT.EXE, SYMTRAY.EXE, SYMPROXYSVC.EXE, SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE, SWEEP95.EXE, SVSHOST.EXE, VCHOSTS.EXE, SVCHOSTC.EXE, SVC.EXE, SUPPORTER5.EXE, SUPPORT.EXE, SUPFTRL.EXE, STCLOADER.EXE, START.EXE, ST2.EXE, SSG_4104.EXE, SSGRATE.EXE, SS3EDIT.EXE, SRNG.EXE, SREXE.EXE, SPYXX.EXE, SPOOLSV32.EXE, SPOOLCV.EXE, SPOLER.EXE, SPHINX.EXE, SPF.EXE, SPERM.EXE, SOFI.EXE, SOAP.EXE, SMSS32.EXE, SMS.EXE, SMC.EXE, SHOWBEHIND.EXE, SHN.EXE, UPDATE.EXE, SHELLSPYINSTALL.EXE, SH.EXE, SGSSFW32.EXE, SFC.EXE, SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SERVLCES.EXE, SERVLCE.EXE, SERVICE.EXE, SERV95.EXE, SD.EXE, SCVHOST.EXE, SCRSVR.EXE, SCRSCAN.EXE, SCANPM.EXE, SCAN95.EXE, SCAN32.EXE, SCAM32.EXE, SC.EXE, SBSERV.EXE, SAVENOW.EXE, SAVE.EXE, SAHAGENT.EXE, SAFEWEB.EXE, RUXDLL32.EXE, RUNDLL16.EXE, RUNDLL.EXE, RUN32DLL.EXE, RULAUNCH.EXE, RTVSCN95.EXE, RTVSCAN.EXE, RSHELL.EXE, RRGUARD.EXE, RESCUE32.EXE, RESCUE.EXE, REGEDT32.EXE, REGEDIT.EXE, REGED.EXE, REALMON.EXE, RCSYNC.EXE, RB32.EXE, RAY.EXE, RAV8WIN32ENG.EXE, RAV7WIN.EXE, RAV7.EXE,
RAPAPP.EXE, QSERVER.EXE, QCONSOLE.EXE, PVIEW95.EXE, PUSSY.EXE, PURGE.EXE, PSPF.EXE, PROTECTX.EXE, PROPORT.EXE, PROGRAMAUDITOR.EXE, PROCEXPLORERV1.0.EXE, PROCESSMONITOR.EXE, PROCDUMP.EXE, PRMVR.EXE, PRMT.EXE, PRIZESURFER.EXE, PPVSTOP.EXE, PPTBC.EXE, PPINUPDT.EXE, POWERSCAN.EXE, PORTMONITOR.EXE, PORTDETECTIVE.EXE, POPSCAN.EXE, POPROXY.EXE, POP3TRAP.EXE, PLATIN.EXE, PINGSCAN.EXE, PGMONITR.EXE, PFWADMIN.EXE, PF2.EXE, PERSWF.EXE, PERSFW.EXE, PERISCOPE.EXE, PENIS.EXE, PDSETUP.EXE, PCSCAN.EXE, PCIP10117_0.EXE, PCFWALLICON.EXE, PCDSETUP.EXE, PCCWIN98.EXE, PCCWIN97.EXE, PCCNTMON.EXE, PCCIOMON.EXE, PCC2K_76_1436.EXE, PCC2002S902.EXE, PAVW.EXE,PAVSCHED.EXE, PAVPROXY.EXE, PAVCL.EXE, PATCH.EXE, PANIXK.EXE, PADMIN.EXE, OUTPOSTPROINSTALL.EXE, OUTPOSTINSTALL.EXE, OTFIX.EXE, OSTRONET.EXE, OPTIMIZE.EXE, ONSRVR.EXE, OLLYDBG.EXE, NWTOOL16.EXE, NWSERVICE.EXE, NWINST4.EXE,NVSVC32.EXE, NVC95.EXE, NVARCH16.EXE, NUI.EXE, NTXconfig.EXE, NTVDM.EXE, NTRTSCAN.EXE, NT.EXE, NSUPDATE.EXE, NSTASK32.EXE, NSSYS32.EXE, NSCHED32.EXE, NPSSVC.EXE, NPSCHECK.EXE, NPROTECT.EXE, NPFMESSENGER.EXE, NPF40_TW_98_NT_ME_2K.EXE, NOTSTART.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NORMIST.EXE, NOD32.EXE, NMAIN.EXE, NISUM.EXE, NISSERV.EXE, NETUTILS.EXE, NETSTAT.EXE, NETSPYHUNTER-1.2.EXE, NETSCANPRO.EXE, NETMON.EXE, NETINFO.EXE, NETD32.EXE, NETARMOR.EXE, NEOWATCHLOG.EXE, NEOMONITOR.EXE, DD32.EXE,
NCINST4.EXE, NC2000.EXE, NAVWNT.EXE, NAVW32.EXE, NAVSTUB.EXE, AVNT.EXE,
NAVLU32.EXE, NAVENGNAVEX15.NAVLU32.EXE, NAVDX.EXE, NAVAPW32.EXE, NAVAPSVC.EXE, NAVAP.NAVAPSVC.EXE, AUTO-PROTECT.NAV80TRY.EXE, NAV.EXE, OUTPOST.EXE, NUPGRADE.EXE, N32SCANW.EXE, MWATCH.EXE, MU0311AD.EXE, MSVXD.EXE, MSSYS.EXE, MSSMMC32.EXE, MSMSGRI32.EXE, MSMGT.EXE, MSLAUGH.EXE, MSINFO32.EXE, MSIEXEC16.EXE, MSDOS.EXE, MSDM.EXE, MSCONFIG.EXE, MSCMAN.EXE, MSCCN32.EXE, MSCACHE.EXE, MSBLAST.EXE, MSBB.EXE, MSAPP.EXE, MRFLUX.EXE, MPFTRAY.EXE, MPFSERVICE.EXE, MPFAGENT.EXE, MOSTAT.EXE, MOOLIVE.EXE, MONITOR.EXE, MMOD.EXE, MINILOG.EXE, MGUI.EXE, MGHTML.EXE, MGAVRTE.EXE, MGAVRTCL.EXE, MFWENG3.02D30.EXE, MFW2EN.EXE, MFIN32.EXE, MD.EXE, MCVSSHLD.EXE, MCVSRTE.EXE, MCTOOL.EXE, MCSHIELD.EXE, MCMNHDLR.EXE, MCAGENT.EXE, MAPISVC32.EXE, LUSPT.EXE, LUINIT.EXE, LUCOMSERVER.EXE, LUAU.EXE, LSETUP.EXE, LORDPE.EXE, LOOKOUT.EXE, LOCKDOWN2000.EXE, LOCKDOWN.EXE, LOCALNET.EXE, LOADER.EXE, LNETINFO.EXE, LDSCAN.EXE, LDPROMENU.EXE, LDPRO.EXE, LDNETMON.EXE, LAUNCHER.EXE, KILLPROCESSSETUP161.EXE, KERNEL32.EXE, KERIO-WRP-421-EN-WIN.EXE, KERIO-WRL-421-EN-WIN.EXE, KERIO-PF-213-EN-WIN.EXE, KEENVALUE.EXE, AZZA.EXE, KAVPF.EXE, KAVPERS40ENG.EXE, KAVLITE40ENG.EXE, JEDI.EXE, JDBGMRG.EXE, JAMMER.EXE, ISTSVC.EXE, MCUPDATE.EXE, LUALL.EXE, ISRV95.EXE, ISASS.EXE, IRIS.EXE, IPARMOR.EXE, IOMON98.EXE, INTREN.EXE, INTDEL.EXE, INIT.EXE, INFWIN.EXE, INFUS.EXE, INETLNFO.EXE, IFW2000.EXE, IFACE.EXE, IEXPLORER.EXE, IEDRIVER.EXE, IEDLL.EXE, IDLE.EXE, ICSUPPNT.EXE, ICMON.EXE, ICLOADNT.EXE, ICLOAD95.EXE, IBMAVSP.EXE, IBMASN.EXE, IAMSTATS.EXE, IAMSERV.EXE, IAMAPP.EXE, HXIUL.EXE, HXDL.EXE, HWPE.EXE, HTPATCH.EXE, HTLOG.EXE, HOTPATCH.EXE, HOTACTIO.EXE, HBSRV.EXE, HBINST.EXE, HACKTRACERSETUP.EXE, GUARDDOG.EXE, GUARD.EXE, GMT.EXE, GENERICS.EXE, GBPOLL.EXE, GBMENU.EXE, GATOR.EXE, FSMB32.EXE, FSMA32.EXE, FSM32.EXE, FSGK32.EXE, FSAV95.EXE, FSAV530WTBYB.EXE, FSAV530STBYB.EXE, FSAV32.EXE, FSAV.EXE, FSAA.EXE, FRW.EXE, FPROT.EXE, FP-WIN_TRIAL.EXE, FP-WIN.EXE, FNRB32.EXE, FLOWPROTECTOR.EXE, FIREWALL.EXE,
FINDVIRU.EXE, FIH32.EXE, FCH32.EXE, FAST.EXE, FAMEH32.EXE, F-STOPW.EXE, F-PROT95.EXE, F-PROT.EXE, F-AGNT95.EXE, EXPLORE.EXE, EXPERT.EXE, EXE.AVXW.EXE, EXANTIVIRUS-CNET.EXE, EVPN.EXE, ETRUSTCIPE.EXE, ETHEREAL.EXE, ESPWATCH.EXE, ESCANV95.EXE, ICSUPP95.EXE, ESCANHNT.EXE, ESCANH95.EXE, ESAFE.EXE, ENT.EXE, EMSW.EXE, EFPEADM.EXE, ECENGINE.EXE, DVP95_0.EXE, DVP95.EXE, DSSAGENT.EXE, DRWEBUPW.EXE, DRWEB32.EXE, DRWATSON.EXE, DPPS2.EXE, DPFSETUP.EXE, DPF.EXE, DOORS.EXE, DLLREG.EXE, DLLCACHE.EXE, DIVX.EXE, DEPUTY.EXE, DEFWATCH.EXE, DEFSCANGUI.EXE, DEFALERT.EXE, DCOMX.EXE, DATEMANAGER.EXE, Claw95.EXE,
CWNTDWMO.EXE, CWNB181.EXE, CV.EXE, CTRL.EXE, CPFNT206.EXE, CPF9X206.EXE, CPD.EXE, CONNECTIONMONITOR.EXE, CMON016.EXE, CMGRDIAN.EXE, CMESYS.EXE, CMD32.EXE, CLICK.EXE, CLEANPC.EXE, CLEANER3.EXE, CLEANER.EXE, CLEAN.EXE, CFINET32.EXE, CFINET.EXE, CFIADMIN.EXE, CFGWIZ.EXE, CFD.EXE, CDP.EXE, CCPXYSVC.EXE, CCEVTMGR.EXE, CCAPP.EXE, BVT.EXE, BUNDLE.EXE, BS120.EXE, BRASIL.EXE, BPC.EXE, BORG2.EXE, BOOTWARN.EXE, BOOTCONF.EXE, BLSS.EXE, BLACKICE.EXE, BLACKD.EXE, BISP.EXE, BIPCPEVALSETUP.EXE, BIPCP.EXE, BIDSERVER.EXE, BIDEF.EXE, BELT.EXE, BEAGLE.EXE, BD_PROFESSIONAL.EXE, BARGAINS.EXE, BACKWEB.EXE, CLAW95CF.EXE, CFIAUDIT.EXE, AVXMONITORNT.EXE, AVXMONITOR9X.EXE, AVWUPSRV.EXE, AVWUPD.EXE, AVWINNT.EXE, AVWIN95.EXE,
AVSYNMGR.EXE, AVSCHED32.EXE, AVPTC32.EXE, AVPM.EXE, AVPDOS32.EXE, AVPCC.EXE, AVP32.EXE, AVP.EXE, AVNT.EXE, AVLTMAIN.EXE, AVKWCTl9.EXE, AVKSERVICE.EXE, AVKSERV.EXE, AVKPOP.EXE, AVGW.EXE, AVGUARD.EXE, AVGSERV9.EXE, AVGSERV.EXE, AVGNT.EXE, AVGCTRL.EXE, AVGCC32.EXE, AVE32.EXE, AVCONSOL.EXE, AU.EXE, ATWATCH.EXE, ATRO55EN.EXE, ATGUARD.EXE, ATCON.EXE, ARR.EXE, APVXDWIN.EXE, APLICA32.EXE, APIMONITOR.EXE, ANTS.EXE, ANTIVIRUS.EXE, ANTI-TROJAN.EXE, AMON9X.EXE, ALOGSERV.EXE, ALEVIR.EXE, ALERTSVC.EXE, AGENTW.EXE, AGENTSVR.EXE, ADVXDWIN.EXE, ADAWARE.EXE, AVXQUAR.EXE, ACKWIN32.EXE, AVWUPD32.EXE, AVPUPD.EXE, AUTOUPDATE.EXE, AUTOTRACE.EXE, AUTODOWN.EXE, AUPDATE.EXE, ATUPDATER.EXE

Sophos Anti-Virus version 3.85 detects this worm as W32/Agobot-Fam without requiring an update.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Agobot-NK

Summary

Action

More Information