high
Summary
Summary
Action- More Information
| Included in our products from | June 2004 (3.82) |
|---|---|
| Protection available since | 21 April 2004 13:27:27 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing W32/Agobot-QF.
More Information
W32/Agobot-QF is an IRC backdoor Trojan and network worm which establishes
an IRC channel to a remote server in order to grant an intruder access to the compromised machine.
This worm will move itself into the Windows System32 folder under the filename EXPLORED.EXE and may create the following registry entries so that it can execute automatically on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Login = explored.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Login = explored.exe
This worm will also attempt to glean email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.
W32/Agobot-QF will attempt to terminate anti-virus and software firewall processes, in addition to other viruses, worms or Trojans.
For example:
'_AVPM.EXE'
'_AVPCC.EXE'
'_AVP32.EXE'
'ZONEALARM.EXE'
'ZONALM2601.EXE'
'ZATUTOR.EXE'
'ZAPSETUP3001.EXE'
'ZAPRO.EXE'
'XPF202EN.EXE'
'WYVERNWORKSFIREWALL.EXE'
'WUPDT.EXE'
'WUPDATER.EXE'
'WSBGATE.EXE'
'WRCTRL.EXE'
'WRADMIN.EXE'
'WNT.EXE'
'WNAD.EXE'
'WKUFIND.EXE'
'WINUPDATE.EXE'
'WINTSK32.EXE'
'WINSTART001.EXE'
'WINSTART.EXE'
'WINSSK32.EXE'
'WINSERVN.EXE'
'WINRECON.EXE'
'WINPPR32.EXE'
'WINNET.EXE'
'WINMAIN.EXE'
'WINLOGIN.EXE'
'WININITX.EXE'
'WININIT.EXE'
'WININETD.EXE'
'WINDOWS.EXE'
'WINDOW.EXE'
'WINACTIVE.EXE'
'WIN32US.EXE'
'WIN32.EXE'
'WIN-BUGSFIX.EXE'
'WIMMUN32.EXE'
'WHOSWATCHINGME.EXE'
'WGFE95.EXE'
'WFINDV32.EXE'
'WEBTRAP.EXE'
'WEBSCANX.EXE'
'WEBDAV.EXE'
'WATCHDOG.EXE'
'W9X.EXE'
'W32DSM89.EXE'
'VSWINPERSE.EXE'
'VSWINNTSE.EXE'
'VSWIN9XE.EXE'
'VSSTAT.EXE'
'VSMON.EXE'
'VSMAIN.EXE'
'VSISETUP.EXE'
'VSHWIN32.EXE'
'VSECOMR.EXE'
'VSCHED.EXE'
'VSCENU6.02D30.EXE'
'VSCAN40.EXE'
'VPTRAY.EXE'
'VPFW30S.EXE'
'VPC42.EXE'
'VPC32.EXE'
'VNPC3000.EXE'
'VNLAN300.EXE'
'VIRUSMDPERSONALFIREWALL.EXE'
'VIR-HELP.EXE'
'VFSETUP.EXE'
'VETTRAY.EXE'
'VET95.EXE'
'VET32.EXE'
'VCSETUP.EXE'
'VBWINNTW.EXE'
'VBWIN9X.EXE'
'VBUST.EXE'
'VBCONS.EXE'
'VBCMSERV.EXE'
'UTPOST.EXE'
'UPGRAD.EXE'
'UPDAT.EXE'
'UNDOBOOT.EXE'
'TVTMD.EXE'
'TVMD.EXE'
'TSADBOT.EXE'
'TROJANTRAP3.EXE'
'TRJSETUP.EXE'
'TRJSCAN.EXE'
'TRICKLER.EXE'
'TRACERT.EXE'
'TITANINXP.EXE'
'TITANIN.EXE'
'TGBOB.EXE'
'TFAK5.EXE'
'TFAK.EXE'
'TEEKIDS.EXE'
'TDS2-NT.EXE'
'TDS2-98.EXE'
'TDS-3.EXE'
'TCM.EXE'
'TCA.EXE'
'TC.EXE'
'TBSCAN.EXE'
'TAUMON.EXE'
'TASKMON.EXE'
'TASKMO.EXE'
'TASKMG.EXE'
'SYSUPD.EXE'
'SYSTEM32.EXE'
'SYSTEM.EXE'
'SYSEDIT.EXE'
'SYMTRAY.EXE'
'SYMPROXYSVC.EXE'
'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE'
'SWEEP95.EXE'
'SVSHOST.EXE'
'SVCHOSTS.EXE'
'SVCHOSTC.EXE'
'SVC.EXE'
'SUPPORTER5.EXE'
'SUPPORT.EXE'
'SUPFTRL.EXE'
'STCLOADER.EXE'
'START.EXE'
'ST2.EXE'
'SSGRATE.EXE'
'SS3EDIT.EXE'
'SRNG.EXE'
'SREXE.EXE'
'SPYXX.EXE'
'SPOOLSV32.EXE'
'SPOOLCV.EXE'
'SPOLER.EXE'
'SPHINX.EXE'
'SPF.EXE'
'SPERM.EXE'
'SOFI.EXE'
'SOAP.EXE'
'SMSS32.EXE'
'SMS.EXE'
'SMC.EXE'
'SHOWBEHIND.EXE'
'SHN.EXE'
'UPDATE.EXE'
'SHELLSPYINSTALL.EXE'
'SH.EXE'
'SGSSFW32.EXE'
'SFC.EXE'
'SETUP_FLOWPROTECTOR_US.EXE'
'SETUPVAMEEVAL.EXE'
'SERVLCES.EXE'
'SERVLCE.EXE'
'SERVICE.EXE'
'SERV95.EXE'
'SD.EXE'
'SCVHOST.EXE'
'SCRSVR.EXE'
'SCRSCAN.EXE'
'SCANPM.EXE'
'SCAN95.EXE'
'SCAN32.EXE'
'SCAM32.EXE'
'SC.EXE'
'SBSERV.EXE'
'SAVENOW.EXE'
'SAVE.EXE'
'SAHAGENT.EXE'
'SAFEWEB.EXE'
'RUXDLL32.EXE'
'RUNDLL16.EXE'
'RUNDLL.EXE'
'RUN32DLL.EXE'
'RULAUNCH.EXE'
'RTVSCN95.EXE'
'RTVSCAN.EXE'
'RSHELL.EXE'
'RRGUARD.EXE'
'RESCUE32.EXE'
'RESCUE.EXE'
'REGEDT32.EXE'
'REGEDIT.EXE'
'REGED.EXE'
'REALMON.EXE'
'RCSYNC.EXE'
'RB32.EXE'
'RAY.EXE'
'RAV8WIN32ENG.EXE'
'RAV7WIN.EXE'
'RAV7.EXE'
'RAPAPP.EXE'
'QSERVER.EXE'
'QCONSOLE.EXE'
'PVIEW95.EXE'
'PUSSY.EXE'
'PURGE.EXE'
'PSPF.EXE'
'PROTECTX.EXE'
'PROPORT.EXE'
'PROGRAMAUDITOR.EXE'
'PROCEXPLORERV1.0.EXE'
'PROCESSMONITOR.EXE'
'PROCDUMP.EXE'
'PRMVR.EXE'
'PRMT.EXE'
'PRIZESURFER.EXE'
'PPVSTOP.EXE'
'PPTBC.EXE'
'PPINUPDT.EXE'
'POWERSCAN.EXE'
'PORTMONITOR.EXE'
'PORTDETECTIVE.EXE'
'POPSCAN.EXE'
'POPROXY.EXE'
'POP3TRAP.EXE'
'PLATIN.EXE'
'PINGSCAN.EXE'
'PGMONITR.EXE'
'PFWADMIN.EXE'
'PF2.EXE'
'PERSWF.EXE'
'PERSFW.EXE'
'PERISCOPE.EXE'
'PENIS.EXE'
'PDSETUP.EXE'
'PCSCAN.EXE'
'PCFWALLICON.EXE'
'PCDSETUP.EXE'
'PCCWIN98.EXE'
'PCCWIN97.EXE'
'PCCNTMON.EXE'
'PCCIOMON.EXE'
'PAVW.EXE'
'PAVSCHED.EXE'
'PAVPROXY.EXE'
'PAVCL.EXE'
'PATCH.EXE'
'PANIXK.EXE'
'PADMIN.EXE'
'OUTPOSTPROINSTALL.EXE'
'OUTPOSTINSTALL.EXE'
'OTFIX.EXE'
'OSTRONET.EXE'
'OPTIMIZE.EXE'
'ONSRVR.EXE'
'OLLYDBG.EXE'
'NWTOOL16.EXE'
'NWSERVICE.EXE'
'NWINST4.EXE'
'NVSVC32.EXE'
'NVC95.EXE'
'NVARCH16.EXE'
'NUI.EXE'
'NTXconfig.EXE'
'NTVDM.EXE'
'NTRTSCAN.EXE'
'NT.EXE'
'NSUPDATE.EXE'
'NSTASK32.EXE'
'NSSYS32.EXE'
'NSCHED32.EXE'
'NPSSVC.EXE'
'NPSCHECK.EXE'
'NPROTECT.EXE'
'NPFMESSENGER.EXE'
'NPF40_TW_98_NT_ME_2K.EXE'
'NOTSTART.EXE'
'NORTON_INTERNET_SECU_3.0_407.EXE'
'NORMIST.EXE'
'NOD32.EXE'
'NMAIN.EXE'
'NISUM.EXE'
'NISSERV.EXE'
'NETUTILS.EXE'
'NETSTAT.EXE'
'NETSPYHUNTER-1.2.EXE'
'NETSCANPRO.EXE'
'NETMON.EXE'
'NETINFO.EXE'
'NETD32.EXE'
'NETARMOR.EXE'
'NEOWATCHLOG.EXE'
'NEOMONITOR.EXE'
'NDD32.EXE'
'NCINST4.EXE'
'NAVWNT.EXE'
'NAVW32.EXE'
'NAVSTUB.EXE'
'NAVNT.EXE'
'NAVLU32.EXE'
'NAVENGNAVEX15.NAVLU32.EXE'
'NAVDX.EXE'
'NAVAPW32.EXE'
'NAVAPSVC.EXE'
'NAVAP.NAVAPSVC.EXE'
'AUTO-PROTECT.NAV80TRY.EXE'
'NAV.EXE'
'OUTPOST.EXE'
'NUPGRADE.EXE'
'N32SCANW.EXE'
'MWATCH.EXE'
'MU0311AD.EXE'
'MSVXD.EXE'
'MSSYS.EXE'
'MSSMMC32.EXE'
'MSMSGRI32.EXE'
'MSMGT.EXE'
'MSLAUGH.EXE'
'MSINFO32.EXE'
'MSIEXEC16.EXE'
'MSDOS.EXE'
'MSDM.EXE'
'MSCONFIG.EXE'
'MSCMAN.EXE'
'MSCCN32.EXE'
'MSCACHE.EXE'
'MSBLAST.EXE'
'MSBB.EXE'
'MSAPP.EXE'
'MRFLUX.EXE'
'MPFTRAY.EXE'
'MPFSERVICE.EXE'
'MPFAGENT.EXE'
'MOSTAT.EXE'
'MOOLIVE.EXE'
'MONITOR.EXE'
'MMOD.EXE'
'MINILOG.EXE'
'MGUI.EXE'
'MGHTML.EXE'
'MGAVRTE.EXE'
'MGAVRTCL.EXE'
'MFWENG3.02D30.EXE'
'MFW2EN.EXE'
'MFIN32.EXE'
'MD.EXE'
'MCVSSHLD.EXE'
'MCVSRTE.EXE'
'MCTOOL.EXE'
'MCSHIELD.EXE'
'MCMNHDLR.EXE'
'MCAGENT.EXE'
'MAPISVC32.EXE'
'LUSPT.EXE'
'LUINIT.EXE'
'LUCOMSERVER.EXE'
'LUAU.EXE'
'LSETUP.EXE'
'LORDPE.EXE'
'LOOKOUT.EXE'
'LOCKDOWN2000.EXE'
'LOCKDOWN.EXE'
'LOCALNET.EXE'
'LOADER.EXE'
'LNETINFO.EXE'
'LDSCAN.EXE'
'LDPROMENU.EXE'
'LDPRO.EXE'
'LDNETMON.EXE'
'LAUNCHER.EXE'
'KILLPROCESSSETUP161.EXE'
'KERNEL32.EXE'
'KERIO-WRP-421-EN-WIN.EXE'
'KERIO-WRL-421-EN-WIN.EXE'
'KERIO-PF-213-EN-WIN.EXE'
'KEENVALUE.EXE'
'KAZZA.EXE'
'KAVPF.EXE'
'KAVPERS40ENG.EXE'
'KAVLITE40ENG.EXE'
'JEDI.EXE'
'JDBGMRG.EXE'
'JAMMER.EXE'
'ISTSVC.EXE'
'MCUPDATE.EXE'
'LUALL.EXE'
'ISRV95.EXE'
'ISASS.EXE'
'IRIS.EXE'
'IPARMOR.EXE'
'IOMON98.EXE'
'INTREN.EXE'
'INTDEL.EXE'
'INIT.EXE'
'INFWIN.EXE'
'INFUS.EXE'
'INETLNFO.EXE'
'IFW2000.EXE'
'IFACE.EXE'
'IEXPLORER.EXE'
'IEDRIVER.EXE'
'IEDLL.EXE'
'IDLE.EXE'
'ICSUPPNT.EXE'
'ICMON.EXE'
'ICLOADNT.EXE'
'ICLOAD95.EXE'
'IBMAVSP.EXE'
'IBMASN.EXE'
'IAMSTATS.EXE'
'IAMSERV.EXE'
'IAMAPP.EXE'
'HXIUL.EXE'
'HXDL.EXE'
'HWPE.EXE'
'HTPATCH.EXE'
'HTLOG.EXE'
'HOTPATCH.EXE'
'HOTACTIO.EXE'
'HBSRV.EXE'
'HBINST.EXE'
'HACKTRACERSETUP.EXE'
'GUARDDOG.EXE'
'GUARD.EXE'
'GMT.EXE'
'GENERICS.EXE'
'GBPOLL.EXE'
'GBMENU.EXE'
'GATOR.EXE'
'FSMB32.EXE'
'FSMA32.EXE'
'FSM32.EXE'
'FSGK32.EXE'
'FSAV95.EXE'
'FSAV530WTBYB.EXE'
'FSAV530STBYB.EXE'
'FSAV32.EXE'
'FSAV.EXE'
'FSAA.EXE'
'FRW.EXE'
'FPROT.EXE'
'FP-WIN_TRIAL.EXE'
'FP-WIN.EXE'
'FNRB32.EXE'
'FLOWPROTECTOR.EXE'
'FIREWALL.EXE'
'FINDVIRU.EXE'
'FIH32.EXE'
'FCH32.EXE'
'FAST.EXE'
'FAMEH32.EXE'
'F-STOPW.EXE'
'F-PROT95.EXE'
'F-PROT.EXE'
'F-AGNT95.EXE'
'EXPLORE.EXE'
'EXPERT.EXE'
'EXE.AVXW.EXE'
'EXANTIVIRUS-CNET.EXE'
'EVPN.EXE'
'ETRUSTCIPE.EXE'
'ETHEREAL.EXE'
'ESPWATCH.EXE'
'ESCANV95.EXE'
'ICSUPP95.EXE'
'ESCANHNT.EXE'
'ESCANH95.EXE'
'ESAFE.EXE'
'ENT.EXE'
'EMSW.EXE'
'EFPEADM.EXE'
'ECENGINE.EXE'
'DVP95_0.EXE'
'DVP95.EXE'
'DSSAGENT.EXE'
'DRWEBUPW.EXE'
'DRWEB32.EXE'
'DRWATSON.EXE'
'DPPS2.EXE'
'DPFSETUP.EXE'
'DPF.EXE'
'DOORS.EXE'
'DLLREG.EXE'
'DLLCACHE.EXE'
'DIVX.EXE'
'DEPUTY.EXE'
'DEFWATCH.EXE'
'DEFSCANGUI.EXE'
'DEFALERT.EXE'
'DCOMX.EXE'
'DATEMANAGER.EXE'
'Claw95.EXE'
'CWNTDWMO.EXE'
'CWNB181.EXE'
'CV.EXE'
'CTRL.EXE'
'CPFNT206.EXE'
'CPF9X206.EXE'
'CPD.EXE'
'CONNECTIONMONITOR.EXE'
'CMON016.EXE'
'CMGRDIAN.EXE'
'CMESYS.EXE'
'CMD32.EXE'
'CLICK.EXE'
'CLEANPC.EXE'
'CLEANER3.EXE'
'CLEANER.EXE'
'CLEAN.EXE'
'CFINET32.EXE'
'CFINET.EXE'
'CFIADMIN.EXE'
'CFGWIZ.EXE'
'CFD.EXE'
'CDP.EXE'
'CCPXYSVC.EXE'
'CCEVTMGR.EXE'
'CCAPP.EXE'
'BVT.EXE'
'BUNDLE.EXE'
'BS120.EXE'
'BRASIL.EXE'
'BPC.EXE'
'BORG2.EXE'
'BOOTWARN.EXE'
'BOOTCONF.EXE'
'BLSS.EXE'
'BLACKICE.EXE'
'BLACKD.EXE'
'BISP.EXE'
'BIPCPEVALSETUP.EXE'
'BIPCP.EXE'
'BIDSERVER.EXE'
'BIDEF.EXE'
'BELT.EXE'
'BEAGLE.EXE'
'BD_PROFESSIONAL.EXE'
'BARGAINS.EXE'
'BACKWEB.EXE'
'CLAW95CF.EXE'
'CFIAUDIT.EXE'
'AVXMONITORNT.EXE'
'AVXMONITOR9X.EXE'
'AVWUPSRV.EXE'
'AVWUPD.EXE'
'AVWINNT.EXE'
'AVWIN95.EXE'
'AVSYNMGR.EXE'
'AVSCHED32.EXE'
'AVPTC32.EXE'
'AVPM.EXE'
'AVPDOS32.EXE'
'AVPCC.EXE'
'AVP32.EXE'
'AVP.EXE'
'AVNT.EXE'
'AVLTMAIN.EXE'
'AVKWCTl9.EXE'
'AVKSERVICE.EXE'
'AVKSERV.EXE'
'AVKPOP.EXE'
'AVGW.EXE'
'AVGUARD.EXE'
'AVGSERV9.EXE'
'AVGSERV.EXE'
'AVGNT.EXE'
'AVGCTRL.EXE'
'AVGCC32.EXE'
'AVE32.EXE'
'AVCONSOL.EXE'
'AU.EXE'
'ATWATCH.EXE'
'ATRO55EN.EXE'
'ATGUARD.EXE'
'ATCON.EXE'
'ARR.EXE'
'APVXDWIN.EXE'
'APLICA32.EXE'
'APIMONITOR.EXE'
'ANTS.EXE'
'ANTIVIRUS.EXE'
'ANTI-TROJAN.EXE'
'AMON9X.EXE'
'ALOGSERV.EXE'
'ALEVIR.EXE'
'ALERTSVC.EXE'
'AGENTW.EXE'
'AGENTSVR.EXE'
'ADVXDWIN.EXE'
'ADAWARE.EXE'
'AVXQUAR.EXE'
'ACKWIN32.EXE'
'AVWUPD32.EXE'
'AVPUPD.EXE'
'AUTOUPDATE.EXE'
'AUTOTRACE.EXE'
'AUTODOWN.EXE'
'AUPDATE.EXE'
'ATUPDATER.EXE'
This worm will search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS may also be dropped into
C:\<Windows System32>\drivers\etc which may contain a list of anti-virus
and other security related websites each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.
For example:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/Agobot-QF can sniff HTTP, ICMP, FTP, VULN and IRC network traffic and steal data from them.
The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys:
Remote Procedure Call (RPC) vulnerability
Distributed Component Object Model (DCOM) vulnerability
RPC Locator vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-026
(Microsoft Security Bulletin MS03-026 has been superseded by Microsoft Security Bulletin MS03-039).
W32/Agobot-QF can also polymorph on installation in order to evade detection and share/delete the admin$, ipc$ etc drives.
It can also test the available bandwidth by attempting to GET or POST data to the following websites:
'yahoo.co.jp'
'www.nifty.com'
'www.d1asia.com'
'www.st.lib.keio.ac.jp'
'www.lib.nthu.edu.tw'
'www.above.net'
'www.level3.com'
'nitro.ucsc.edu'
'www.burst.net'
'www.cogentco.com'
'www.rit.edu'
'www.nocster.com'
'www.verio.com'
'www.stanford.edu'
'www.xo.net'
'de.yahoo.com'
'www.belwue.de'
'www.switch.ch'
'www.1und1.de'
'verio.fr'
'www.utwente.nl'
'www.schlund.net'
W32/Agobot-QF can also be used to initiate denial-of-service (DoS) and
distributed denial-of-service (DDoS) synflood/httpflood/fraggle/smurf etc attacks against remote systems.
This worm can steal the Windows Product ID and keys from several computer applications or games including:
AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
Industry Giant 2
IGI2: Covert Strike
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Ravenshield
Shogun Total War - Warlord Edition
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows Messenger
W32/Agobot-QF will delete all files named 'sound*.*' and the resident process will be very difficult to terminate.
|
