[virusinfo] W32/Agobot-QT
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 09 Mar 2005 08:38:59 -0800
From; Sophos Alert System:
Name: W32/Agobot-QT
Aliases: W32/Agobot.CVS, Win32.Agobot.xs
Type: Win32 worm
Date: 9 March 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/Agobot-QT can be found at:
http://www.sophos.com/virusinfo/analyses/w32agobotqt.html
W32/Agobot-QT is a worm with backdoor Trojan functionality.
W32/Agobot-QT connects to an IRC channel and listens for backdoor commands from
a remote attacker. The worm may also spread to network shares with weak
passwords or by DCC.
W32/Agobot-QT contains backdoor functionality including the ability to do any
of the following:
- participate in denial of service attacks
- download updates and other files
- list, create and terminate processes and services
- provide a remote command shell
- log keypresses
- delete files
- delete network shares
- make registry changes
- steal system information
- send files by DCC
- exploit vulnerabilities
- monitor network traffic
W32/Agobot-QT also modifies the system HOSTS file in order to prevent access to
the following web addresses:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
When first run W32/Agobot-QT copies itself to the Windows system folder as
SUPER.EXE and creates the following registry entries in order to run itself on
system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
super
super.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
super
super.exe
This IDE file also includes detection for:
Troj/Nethief-K
http://www.sophos.com/virusinfo/analyses/trojnethiefk.html
Troj/Istbar-AQ
http://www.sophos.com/virusinfo/analyses/trojistbaraq.html
Troj/Agent-CK
http://www.sophos.com/virusinfo/analyses/trojagentck.html
W32/Rbot-XJ
http://www.sophos.com/virusinfo/analyses/w32rbotxj.html
W32/Traxg-D
http://www.sophos.com/virusinfo/analyses/w32traxgd.html
Troj/LowZone-S
http://www.sophos.com/virusinfo/analyses/trojlowzones.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/agobotqt.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Agobot-QT
