From; Sophos Alert System: Name: W32/Agobot-IY Type: Win32 worm Date: 21 May 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the July 2004 (3.83) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Information about W32/Agobot-IY can be found at: http://www.sophos.com/virusinfo/analyses/w32agobotiy.html Description W32/Agobot-IY is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine. This worm will move itself into the Windows System32 folder under the filename DVRCONF.EXE and may create the following registry entries so that it can execute automatically on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ DriverConf = dvrconf.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ DriverConf = dvrconf.exe W32/Agobot-IY may also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment. W32/Agobot-IY may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans. For example: _AVPM _AVPCC _AVP32 ZONEALARM ZONALM2601 ZATUTOR ZAPSETUP3001 ZAPRO XPF202EN WYVERNWORKSFIREWALL WUPDT WUPDATER WSBGATE WRCTRL WRADMIN WNT WNAD WKUFIND WINUPDATE WINTSK32 WINSTART001 WINSTART WINSSK32 WINSERVN WINRECON WINPPR32 WINNET WINMAIN WINLOGIN WININITX WININIT WININETD WINDOWS WINDOW WINACTIVE WIN32US WIN32 WIN-BUGSFIX WIMMUN32 WHOSWATCHINGME WGFE95 WFINDV32 WEBTRAP WEBSCANX WEBDAV WATCHDOG W9X W32DSM89 VSWINPERSE VSWINNTSE VSWIN9XE VSSTAT VSMON VSMAIN VSISETUP VSHWIN32 VSECOMR VSCHED VSCENU6.02D30 VSCAN40 VPTRAY VPFW30S VPC42 VPC32 VNPC3000 VNLAN300 VIRUSMDPERSONALFIREWALL VIR-HELP VFSETUP VETTRAY VET95 VET32 VCSETUP VBWINNTW VBWIN9X VBUST VBCONS VBCMSERV UTPOST UPGRAD UPDAT UNDOBOOT TVTMD TVMD TSADBOT TROJANTRAP3 TRJSETUP TRJSCAN TRICKLER TRACERT TITANINXP TITANIN TGBOB TFAK5 TFAK TEEKIDS TDS2-NT TDS2-98 TDS-3 TCM TCA TC TBSCAN TAUMON TASKMON TASKMO TASKMG SYSUPD SYSTEM32 SYSTEM SYSEDIT SYMTRAY SYMPROXYSVC SWEEPNET.SWEEPSRV.SYS.SWNETSUP SWEEP95 SVSHOST SVCHOSTS SVCHOSTC SVC SUPPORTER5 SUPPORT SUPFTRL STCLOADER START ST2 SSGRATE SS3EDIT SRNG SREXE SPYXX SPOOLSV32 SPOOLCV SPOLER SPHINX SPF SPERM SOFI SOAP SMSS32 SMS SMC SHOWBEHIND SHN UPDATE SHELLSPYINSTALL SH SGSSFW32 SFC SETUP_FLOWPROTECTOR_US SETUPVAMEEVAL SERVLCES SERVLCE SERVICE SERV95 SD SCVHOST SCRSVR SCRSCAN SCANPM SCAN95 SCAN32 SCAM32 SC SBSERV SAVENOW SAVE SAHAGENT SAFEWEB RUXDLL32 RUNDLL16 RUNDLL RUN32DLL RULAUNCH RTVSCN95 RTVSCAN RSHELL RRGUARD RESCUE32 RESCUE REGEDT32 REGEDIT REGED REALMON RCSYNC RB32 RAY RAV8WIN32ENG RAV7WIN RAV7 RAPAPP QSERVER QCONSOLE PVIEW95 PUSSY PURGE PSPF PROTECTX PROPORT PROGRAMAUDITOR PROCEXPLORERV1.0 PROCESSMONITOR PROCDUMP PRMVR PRMT PRIZESURFER PPVSTOP PPTBC PPINUPDT POWERSCAN PORTMONITOR PORTDETECTIVE POPSCAN POPROXY POP3TRAP PLATIN PINGSCAN PGMONITR PFWADMIN PF2 PERSWF PERSFW PERISCOPE PENIS PDSETUP PCSCAN PCFWALLICON PCDSETUP PCCWIN98 PCCWIN97 PCCNTMON PCCIOMON PAVW PAVSCHED PAVPROXY PAVCL PATCH PANIXK PADMIN OUTPOSTPROINSTALL OUTPOSTINSTALL OTFIX OSTRONET OPTIMIZE ONSRVR OLLYDBG NWTOOL16 NWSERVICE NWINST4 NVSVC32 NVC95 NVARCH16 NUI NTXconfig NTVDM NTRTSCAN NT NSUPDATE NSTASK32 NSSYS32 NSCHED32 NPSSVC NPSCHECK NPROTECT NPFMESSENGER NPF40_TW_98_NT_ME_2K NOTSTART NORTON_INTERNET_SECU_3.0_407 NORMIST NOD32 NMAIN NISUM NISSERV NETUTILS NETSTAT NETSPYHUNTER-1.2 NETSCANPRO NETMON NETINFO NETD32 NETARMOR NEOWATCHLOG NEOMONITOR NDD32 NCINST4 NAVWNT NAVW32 NAVSTUB NAVNT NAVLU32 NAVENGNAVEX15.NAVLU32 NAVDX NAVAPW32 NAVAPSVC NAVAP.NAVAPSVC AUTO-PROTECT.NAV80TRY NAV OUTPOST NUPGRADE N32SCANW MWATCH MU0311AD MSVXD MSSYS MSSMMC32 MSMSGRI32 MSMGT MSLAUGH MSINFO32 MSIEXEC16 MSDOS MSDM MSCONFIG MSCMAN MSCCN32 MSCACHE MSBLAST MSBB MSAPP MRFLUX MPFTRAY MPFSERVICE MPFAGENT MOSTAT MOOLIVE MONITOR MMOD MINILOG MGUI MGHTML MGAVRTE MGAVRTCL MFWENG3.02D30 MFW2EN MFIN32 MD MCVSSHLD MCVSRTE MCTOOL MCSHIELD MCMNHDLR MCAGENT MAPISVC32 LUSPT LUINIT LUCOMSERVER LUAU LSETUP LORDPE LOOKOUT LOCKDOWN2000 LOCKDOWN LOCALNET LOADER LNETINFO LDSCAN LDPROMENU LDPRO LDNETMON LAUNCHER KILLPROCESSSETUP161 KERNEL32 KERIO-WRP-421-EN-WIN KERIO-WRL-421-EN-WIN KERIO-PF-213-EN-WIN KEENVALUE KAZZA KAVPF KAVPERS40ENG KAVLITE40ENG JEDI JDBGMRG JAMMER ISTSVC MCUPDATE LUALL ISRV95 ISASS IRIS IPARMOR IOMON98 INTREN INTDEL INIT INFWIN INFUS INETLNFO IFW2000 IFACE IEXPLORER IEDRIVER IEDLL IDLE ICSUPPNT ICMON ICLOADNT ICLOAD95 IBMAVSP IBMASN IAMSTATS IAMSERV IAMAPP HXIUL HXDL HWPE HTPATCH HTLOG HOTPATCH HOTACTIO HBSRV HBINST HACKTRACERSETUP GUARDDOG GUARD GMT GENERICS GBPOLL GBMENU GATOR FSMB32 FSMA32 FSM32 FSGK32 FSAV95 FSAV530WTBYB FSAV530STBYB FSAV32 FSAV FSAA FRW FPROT FP-WIN_TRIAL FP-WIN FNRB32 FLOWPROTECTOR FIREWALL FINDVIRU FIH32 FCH32 FAST FAMEH32 F-STOPW F-PROT95 F-PROT F-AGNT95 EXPLORE EXPERT EXE.AVXW EXANTIVIRUS-CNET EVPN ETRUSTCIPE ETHEREAL ESPWATCH ESCANV95 ICSUPP95 ESCANHNT ESCANH95 ESAFE ENT EMSW EFPEADM ECENGINE DVP95_0 DVP95 DSSAGENT DRWEBUPW DRWEB32 DRWATSON DPPS2 DPFSETUP DPF DOORS DLLREG DLLCACHE DIVX DEPUTY DEFWATCH DEFSCANGUI DEFALERT DCOMX DATEMANAGER Claw95 CWNTDWMO CWNB181 CV CTRL CPFNT206 CPF9X206 CPD CONNECTIONMONITOR CMON016 CMGRDIAN CMESYS CMD32 CLICK CLEANPC CLEANER3 CLEANER CLEAN CFINET32 CFINET CFIADMIN CFGWIZ CFD CDP CCPXYSVC CCEVTMGR CCAPP BVT BUNDLE BS120 BRASIL BPC BORG2 BOOTWARN BOOTCONF BLSS BLACKICE BLACKD BISP BIPCPEVALSETUP BIPCP BIDSERVER BIDEF BELT BEAGLE BD_PROFESSIONAL BARGAINS BACKWEB CLAW95CF CFIAUDIT AVXMONITORNT AVXMONITOR9X AVWUPSRV AVWUPD AVWINNT AVWIN95 AVSYNMGR AVSCHED32 AVPTC32 AVPM AVPDOS32 AVPCC AVP32 AVP AVNT AVLTMAIN AVKWCTl9 AVKSERVICE AVKSERV AVKPOP AVGW AVGUARD AVGSERV9 AVGSERV AVGNT AVGCTRL AVGCC32 AVE32 AVCONSOL AU ATWATCH ATRO55EN ATGUARD ATCON ARR APVXDWIN APLICA32 APIMONITOR ANTS ANTIVIRUS ANTI-TROJAN AMON9X ALOGSERV ALEVIR ALERTSVC AGENTW AGENTSVR ADVXDWIN ADAWARE AVXQUAR ACKWIN32 AVWUPD32 AVPUPD AUTOUPDATE AUTOTRACE AUTODOWN AUPDATE ATUPDATER W32/Agobot-IY may also be used to terminate the following services on remote computers: Themes srservice wuauserv WZCSVC winmgmt WebClient W32Time upnphost uploadmgr TrkWks TermService TapiSrv stisvc SSDPSRV Spooler ShellHWDetection SENS seclogon Schedule SamSs RpcSs RasMan ProtectedStorage PolicyAgent PlugPlay Nla Netman Messenger MDM LmHosts lanmanworkstation lanmanserver helpsvc FastUserSwitchingCompatibility EventSystem Eventlog ERSvc Dnscache dmserver Dhcp CryptSvc Browser AudioSrv Ati HotKey Poller W32/Agobot-IY may search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS in C:\<Windows System32>\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites. For example: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com W32/Agobot-IY can sniff HTTP, VULN, ICMP, FTP and IRC network traffic and steal data from them. The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys: Remote Procedure Call (RPC) vulnerability. Distributed Component Object Model (DCOM) vulnerability. RPC Locator vulnerability. IIS5/WEBDAV Buffer Overflow vulnerability. For more information about these Windows vulnerabilities, please refer to the following Microsoft Security Bulletins: Microsoft Security Bulletin MS03-001 Microsoft Security Bulletin MS03-007 Microsoft Security Bulletin MS03-039 W32/Agobot-IY can also polymorph on installation in order to evade detection and share / delete the admin$, ipc$ etc drives. It can also test the available bandwidth by attempting to GET or POST data to the following websites: yahoo.co.jp www.nifty.com www.d1asia.com www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.above.net www.level3.com nitro.ucsc.edu www.burst.net www.cogentco.com www.rit.edu www.nocster.com www.verio.com www.stanford.edu www.xo.net de.yahoo.com www.belwue.de www.switch.ch www.1und1.de verio.fr www.utwente.nl www.schlund.net W32/Agobot-IY can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems. This worm can steal the Windows Product ID and keys from several computer applications or games including: AOL Instant Messenger Battlefield 1942 Battlefield 1942: Secret Weapons Of WWII Battlefield 1942: The Road To Rome Battlefield 1942: Vietnam Black and White Call of Duty Command and Conquer: Generals Command and Conquer: Generals: Zero Hour Command and Conquer: Red Alert2 Command and Conquer: Tiberian Sun Counter-Strike FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden and Dangerous 2 Industry Giant 2 IGI2: Covert Strike James Bond 007: Nightfire Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 NHL 2002 NHL 2003 Need For Speed: Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights Ravenshield Shogun Total War - Warlord Edition Soldiers Of Anarchy Soldier of Fortune II - Double Helix The Gladiators Unreal Tournament 2003 Unreal Tournament 2004 Windows Messenger W32/Agobot-IY will delete all files named 'sound*.*'. Recovery Please follow the instructions for removing worms This IDE file also includes detection for: Troj/Tofdrop-A http://www.sophos.com/virusinfo/analyses/trojtofdropa.html Troj/Tofger-X http://www.sophos.com/virusinfo/analyses/trojtofgerx.html Troj/Ldpinch-M http://www.sophos.com/virusinfo/analyses/trojldpinchm.html W32/Wallon-D http://www.sophos.com/virusinfo/analyses/w32wallond.html W32/Agobot-SA http://www.sophos.com/virusinfo/analyses/w32agobotsa.html W32/Bot-A http://www.sophos.com/virusinfo/analyses/w32bota.html W32/Brewbot-A http://www.sophos.com/virusinfo/analyses/w32brewbota.html Troj/Delf-CY http://www.sophos.com/virusinfo/analyses/trojdelfcy.html Troj/PcClient-B http://www.sophos.com/virusinfo/analyses/trojpcclientb.html Troj/Small-IU http://www.sophos.com/virusinfo/analyses/trojsmalliu.html Download the IDE file from: http://www.sophos.com/downloads/ide/agobotiy.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member