high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | February 2005 (3.90) |
| Protection available since | 6 January 2005 13:40:21 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W332/Agobot-OU.
More Information
W32/Agobot-OU is a network worm with a backdoor Trojan component.
W32/Agobot-OU is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Agobot-OU can also spread by exploiting the DCOM (MS04-012) and LSASS (MS04-011) vulnerabilities.
W32/Agobot-OU will run in the background and provide backdoor access to remote users over IRC channels.
W32/Agobot-OU will attempt to terminate a number of anti-virus and security-related applications. The worm will also attempt to deny access to a list of anti-virus and security related websites by modifying the Windows HOSTS file. W32/Agobot-OU is a network worm with a backdoor Trojan component.
W32/Agobot-OU is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Agobot-OU can also spread by exploiting the following vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
When first run, W32/Agobot-OU copies itself to the Windows system folder as WINSRV.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs on, W32/Agobot-OU will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
smcserv
winsrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
smcserv
winsrv.exe
The worm runs continuously in the background providing backdoor access to the computer.
W32/Agobot-OU will append the HOSTS file in the <SYSTEM>\drivers\etc folder. The file contains a list of websites each bound to the IP loopback address. This prevents access to a list of anti-virus and security related websites. For example:
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
W32/Agobot-OU is capable of testing the available bandwidth by attempting to GET or POST data to the following websites:
yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net
The backdoor component of W32/Agobot-OU may be used to:
Initiate Denial of Service (DOS) attacks.
Redirect GRE, TCP, HTTP, HTTPS, SOCKS4 and SOCKS5 traffic.
Download, upload, delete and execute files.
Set up an FTP file server.
Steal passwords (including PayPal account information).
List and kill processes.
Stop, start, pause and delete services.
Modify the registry.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Flush the DNS cache.
Log keyboard presses.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.
Steal email addresses from the computer.
Send emails as specified by the remote user.
W32/Agobot-OU may alter the following registry entry in order to enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
W32/Agobot-OU is capable of adding and deleting the C$, D$, IPC$ and ADMIN$ network shares.
W32/Agobot-OU may steal the Windows Product ID and keys from several computer
applications or games including:
AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldiers Of Anarchy
Soldier Of Fortune 2 - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
W32/Agobot-OU can be instructed to harvest email addresses from the infected computer by searching the Windows Address Book, used by
Microsoft Outlook and Outlook Express. The worm can also harvest email addresses from Microsoft Messenger.
W32/Agobot-OU will attempt to terminate a number of anti-virus and security-related processes in addition to other viruses, worms and Trojans.
|
