high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | May 2005 (3.93) |
| Protection available since | 24 March 2005 14:46:02 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Agobot-RB.
More Information
W32/Agobot-RB is a network worm with IRC backdoor functionality.
W32/Agobot-RB connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:
start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected machine
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
make local drives network-shareable
close down vulnerable services in order to secure the machine
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality
The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.
Vulnerabilities:
Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
WorKStation service (MS03-049)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
Services:
NetBios
MS SQL
Backdoors:
W32/Bagle
W32/MyDoom
Troj/Optix
W32/Sasser
W32/Agobot-RB deletes files and folders containing the text "sound". W32/Agobot-RB is a network worm with IRC backdoor functionality.
W32/Agobot-RB connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:
start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected machine
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
make local drives network-shareable
close down vulnerable services in order to secure the machine
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality
The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.
Vulnerabilities:
Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
WorKStation service (MS03-049)
LSASS (MS04-011)
DameWare (CAN-2003-1030)
Services:
NetBios
MS SQL
Backdoors:
W32/Bagle
W32/MyDoom
Troj/Optix
W32/Sasser
W32/Agobot-RB deletes files and folders containing the text "sound".
W32/Agobot-RB copies itself to the Windows system folder and creates the following registry entries to run itself automatically on computer login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Systems Backups =
windrives.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Systems Backups =
windrives.exe
On NT-based versions of Windows (NT,2000,XP) windrives.exe is registered as a service process with a servicename "Restoreds" and a displayname "Systems Backups". The service has a start-type of automatic. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Restoreds
The worm blocks access to security-related websites by adding the following entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
|
