[virusinfo] W32/Agobot-RC

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 23 Mar 2005 23:03:34 -0800

From; Sophos Alert System:

Name: W32/Agobot-RC
Aliases: Backdoor.Win32.Agobot.aal
Type: Win32 worm
Date: 24 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Agobot-RC can be found at:
http://www.sophos.com/virusinfo/analyses/w32agobotrc.html

W32/Agobot-RC is a worm with backdoor functionality which spreads to computers 
protected by weak passwords and by using the LSASS security exploit (MS04-011). 
When first run, W32/Agobot-RC moves itself to the Windows system folder as 
smrs.exe and creates the following registry entries to run itself on computer 
restart: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vsadmin
smrs.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
vsadmin
smrs.exe 
W32/Agobot-RC then tries to connect to a remote IRC server while running 
continuously in the background, allowing a remote intruder to access and 
control the computer via IRC channels. 
The worm modifies the HOSTS file by appending the following mappings: 
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com 
Once installed, W32/Agobot-RC attempts to perform the following actions when 
instructed to do so by a remote intruder: 
steal CD game keys
log keystrokes
setup a SOCKS4 server
steal email addresses and send them to a remote website via HTTP
steal MSN Messenger and computer information
perform denial of service (DoS) attacks using a variety of HTTP, Ping, TCP, UDP 
commands
download and run files from the internet
login to MS SQL servers and send EXEC commands to open a command shell
terminate and disable various anti-virus and security related programs 

This IDE file also includes detection for:

W32/Forbot-GP
http://www.sophos.com/virusinfo/analyses/w32forbotgp.html
W32/Sdbot-WX
http://www.sophos.com/virusinfo/analyses/w32sdbotwx.html
W32/Rbot-ZD
http://www.sophos.com/virusinfo/analyses/w32rbotzd.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/agobotrc.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Agobot-RC

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---