high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | December 2005 (4.00) |
| Protection available since | 28 October 2005 10:01:27 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Agobot-TY.
More Information
W32/Agobot-TY is a worm and IRC backdoor Trojan for the Windows platform.
W32/Agobot-TY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), UPNP (MS01-059), Veritas (CAN-2004-1172), MSSQL (MS02-039) (CAN-2002-0649), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Agobot-TY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Agobot-TY copies itself to <System>\memreader.exe.
The following registry entries are created to run memreader.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
memreader.exe
memreader.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
memreader.exe
memreader.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
memreader.exe
memreader.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Agobot-TY includes functionality to:
- overwrite the HOSTS file
- access the internet and communicate with a remote server via HTTP
- steal information
- carry out DDoS attacks
- terminates anti-virus and security related processes
W32/Agobot-TY may append the HOSTS file with the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
The following patches for the operating system vulnerabilities exploited by W32/Agobot-TY can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS01-059
MS02-039
MS05-039
MS04-007
|
