W32/Agobot-SR

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Agobot-SR is a worm that spreads via network shares. The worm also has a backdoor component that allows a malicious user remote access to an infected computer via IRC channels while running in the background as a service process.

When run W32/Agobot-SR moves itself to the Windows System folder and creates the following registry entries so as to run itself at user logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bcvsrv32
msbvd32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Bcvsrv32
msbvd32.exe

W32/Agobot-SR attempts to terminate processes related to anti-virus and security programs.

When instructed by a remote attacker, W32/Agobot-SR attempts to perform the following functions:

  • shutdown the computer
  • terminate processes
  • log keystrokes
  • download files from the internet and run them
  • steal email addresses
  • steal CD keys
  • launch denialoof-service (DoS) attacks
  • steal computer information


The worm also appends the HOSTS file with the following mappings:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-SR attempts to use the following vulnerabilities:

RPC-DCOM (MS04-012) security exploit
LSASS (MS04-011) security exploit
WebDAV (MS03-007) security exploit
Workstation Service (MS03-049, CAN-2003-0812) security exploit