[virusinfo] W32/Agobot-AAG

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 06 Jun 2005 07:52:57 -0700

From; Sophos Alert System:

Name: W32/Agobot-AAG
Aliases: WORM_GAOBOT.CT, Trojan.Win32.Pakes
Type: Win32 worm
Date: 6 June 2005

Sophos has issued protection for W32/Agobot-AAG.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Agobot-AAG can be found at:
http://www.sophos.com/virusinfo/analyses/w32agobotaag.html

W32/Agobot-AAG is an internet worm and IRC backdoor Trojan for the Windows 
platform. 
W32/Agobot-AAG spreads to other network computers by exploiting the buffer 
overflow vulnerabilites LSASS (MS04-011) and RPC-DCOM (MS04-012) and by copying 
itself to network shares protected by weak passwords. 
W32/Agobot-AAG runs continuously in the background, providing a backdoor server 
which allows a remote intruder to gain access and control over the computer via 
IRC channels. 
W32/Agobot-AAG includes functionality to: 
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- disable anti-virus and security related applications 
When first run W32/Agobot-AAG moves itself to <System>\wmp9.exe and creates the 
following registry entries to ensure it is run at system logon: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Nero Updater.6.12
wmp9.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Nero Updater.6.12
wmp9.exe 
W32/Agobot-AAG modifies the HOSTS file, changing the URL-to-IP mappings for 
selected websites, therefore preventing normal access to these sites. The new 
HOSTS file will typically contain the following: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com 
The following patches for the operating system vulnerabilities exploited by 
W32/Agobot-AAG can be obtained from the Microsoft website: 
MS04-011
MS04-012 

The W32/Agobot-AAG virus identity file (IDE) includes detection for:


Troj/Banker-DA
http://www.sophos.com/virusinfo/analyses/trojbankerda.html
Troj/Dloader-OK
http://www.sophos.com/virusinfo/analyses/trojdloaderok.html
W32/Rbot-AES
http://www.sophos.com/virusinfo/analyses/w32rbotaes.html
W32/Sdbot-YY
http://www.sophos.com/virusinfo/analyses/w32sdbotyy.html
W32/Rbot-AER
http://www.sophos.com/virusinfo/analyses/w32rbotaer.html
Dial/Dialui-C
http://www.sophos.com/virusinfo/analyses/dialdialuic.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Agobot-AAG from:

http://www.sophos.com/downloads/ide/agob-aag.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Agobot-AAG

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---