[virusinfo] Sophos Anti-Virus IDE alert: W32/Agobot-EV

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 22 Apr 2004 09:11:06 -0700

From; Sophos Alert System:

Name: W32/Agobot-EV
Type: Win32 worm
Date: 22 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any 
of the Sophos small business solutions will be automatically
protected at their next scheduled update.


At the time of writing, Sophos has received just one report of
this worm from the wild.


Information about W32/Agobot-EV can be found at:
http://www.sophos.com/virusinfo/analyses/w32agobotev.html
Description 
W32/Agobot-EV is an IRC backdoor Trojan and peer-to-peer (P2P) worm which
opens TCP ports to listen for and process commands received from a remote
intruder. 
This worm will move itself into the Windows System32 folder under the
filename regsvc32.exe and create the following registry entries so that it
can
execute automatically on system restart: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = regsvc32.exe 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = regsvc32.exe 

W32/Agobot-EV will attempt to terminate anti-virus and software firewall
processes, in addition to other viruses, worms or Trojans. 

This worm will search for shared folders on the internet with weak passwords
and copy itself into them. 

W32/Agobot-EV can sniff HTTP, VULN, FTP and IRC network traffic and steal
data
from them. This worm can also exploit the DCOM vulnerability on unpatched
systems and manipulate registry keys. 

This worm will attempt to test the available bandwidth by posting data to
the following sites: 

yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net 

W32/Agobot-EV can also be used to initiate denial-of-service (DoS) and
synflood/httpflood/udpflood attacks against remote systems. 

This worm can redirect TCP and GRE data and steal the Windows Product ID
and keys from several computer games. 

W32/Agobot-EV maps several anti-virus and security-related websites to
localhost within the windows hosts file so that they appear unreachable
when a user tries to access them. 
 
 
Recovery 
Please follow the instructions for removing worms. 
 

This IDE file also includes detection for:

W32/Agobot-GO
http://www.sophos.com/virusinfo/analyses/w32agobotgo.html
Troj/Tofger-J
http://www.sophos.com/virusinfo/analyses/trojtofgerj.html
Troj/Ranck-O
http://www.sophos.com/virusinfo/analyses/trojrancko.html
W32/Agobot-MH
http://www.sophos.com/virusinfo/analyses/w32agobotmh.html
W32/Agobot-MI
http://www.sophos.com/virusinfo/analyses/w32agobotmi.html
W32/Agobot-GK
http://www.sophos.com/virusinfo/analyses/w32agobotgk.html
W32/Sdbot-BE
http://www.sophos.com/virusinfo/analyses/w32sdbotbe.html
Troj/Bizten-C
http://www.sophos.com/virusinfo/analyses/trojbiztenc.html
W32/Agobot-LC
http://www.sophos.com/virusinfo/analyses/w32agobotlc.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/agobotev.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Agobot-EV

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---