From; Sophos Alert System: Name: W32/Agobot-EV Type: Win32 worm Date: 22 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Information about W32/Agobot-EV can be found at: http://www.sophos.com/virusinfo/analyses/w32agobotev.html Description W32/Agobot-EV is an IRC backdoor Trojan and peer-to-peer (P2P) worm which opens TCP ports to listen for and process commands received from a remote intruder. This worm will move itself into the Windows System32 folder under the filename regsvc32.exe and create the following registry entries so that it can execute automatically on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Generic Service Process = regsvc32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Generic Service Process = regsvc32.exe W32/Agobot-EV will attempt to terminate anti-virus and software firewall processes, in addition to other viruses, worms or Trojans. This worm will search for shared folders on the internet with weak passwords and copy itself into them. W32/Agobot-EV can sniff HTTP, VULN, FTP and IRC network traffic and steal data from them. This worm can also exploit the DCOM vulnerability on unpatched systems and manipulate registry keys. This worm will attempt to test the available bandwidth by posting data to the following sites: yahoo.co.jp www.nifty.com www.d1asia.com www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.above.net www.level3.com nitro.ucsc.edu www.burst.net www.cogentco.com www.rit.edu www.nocster.com www.verio.com www.stanford.edu www.xo.net de.yahoo.com www.belwue.de www.switch.ch www.1und1.de verio.fr www.utwente.nl www.schlund.net W32/Agobot-EV can also be used to initiate denial-of-service (DoS) and synflood/httpflood/udpflood attacks against remote systems. This worm can redirect TCP and GRE data and steal the Windows Product ID and keys from several computer games. W32/Agobot-EV maps several anti-virus and security-related websites to localhost within the windows hosts file so that they appear unreachable when a user tries to access them. Recovery Please follow the instructions for removing worms. This IDE file also includes detection for: W32/Agobot-GO http://www.sophos.com/virusinfo/analyses/w32agobotgo.html Troj/Tofger-J http://www.sophos.com/virusinfo/analyses/trojtofgerj.html Troj/Ranck-O http://www.sophos.com/virusinfo/analyses/trojrancko.html W32/Agobot-MH http://www.sophos.com/virusinfo/analyses/w32agobotmh.html W32/Agobot-MI http://www.sophos.com/virusinfo/analyses/w32agobotmi.html W32/Agobot-GK http://www.sophos.com/virusinfo/analyses/w32agobotgk.html W32/Sdbot-BE http://www.sophos.com/virusinfo/analyses/w32sdbotbe.html Troj/Bizten-C http://www.sophos.com/virusinfo/analyses/trojbiztenc.html W32/Agobot-LC http://www.sophos.com/virusinfo/analyses/w32agobotlc.html Download the IDE file from: http://www.sophos.com/downloads/ide/agobotev.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member