| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | News, May 30 2004 |
[cut-n-paste from sophos.com] W32/Agobot-XX Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Agobot-XX is capable of spreading to computers on the local network protected by weak passwords. When first run W32/Agobot-XX copies itself to the Windows system folder as dmrss.exe and creates the following registry entries to run itself on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DSService = dmrss.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices DSService = dmrss.exe Each time W32/Agobot-XX is run it attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-XX then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. W32/Agobot-XX attempts to terminate and disable various anti-virus and security-related programs. This worm will search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS may also be dropped into C:\\drivers\etc which may contain a list of anti-virus and other security-related websites each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites. For example: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com W32/SdBot-BC Aliases INFECTED Backdoor.Rbot.gen, W32/Sdbot.worm.gen.m, W32.Spybot.Worm Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Sdbot-BC is a worm and backdoor for the Windows platform. W32/Sdbot-BC attempts to connect to a channel on a remote IRC server and allow a malicious user remote access to the infected computer. When executed, W32/Sdbot-BC copies itself to the windows system folder with the filename userint.exe. In order to run automatically when Windows starts up W32/Sdbot-BC creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ NetLogon=userint.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ NetLogon=userint.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ NetLogon=userint.exe W32/Sdbot-BC spreads by exploiting computers with weak passwords, unpatched vulnerabilities and backdoors opened by other worms. W32/Bagle-AA Aliases Win32/Bagle.AB, WORM_BAGLE.Z, I-Worm.Bagle.z Type Win32 worm Detection Sophos has received many reports of this worm from the wild. Description W32/Bagle-AA is an email aware worm, and a member of the W32/Bagle family of worms. When first run W32/Bagle-AA will display a fake error message containing the text "Can't find a viewer associated with the file". W32/Bagle-AA copies itself to the Windows system folder with the filename drvddll.exe and then runs the worm from that location. The email sent by the worm may use one of the following subject lines: Re: Msg reply Re: Hello Re: Yahoo! Re: Thank you! Re: Thanks :) RE: Text message Re: Document Incoming message Re: Incoming Message RE: Incoming Msg RE: Message Notify Notification Changes.. New changes Hidden message Fax Message Received Protected message RE: Protected message Forum notify Site changes Re: Hi Encrypted document The attachment send by the worm may carry an EXE, SCR, COM, ZIP, VBS, HTA or CPL extension. The following registry entry is created so that the worm is run when a user logs on to Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\drvddll.exe = drvddll.exe W32/Bagle-AA scans all fixed drives recursively for WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM and JSP files, extracts email addresses from them and uses those addresses for the mass mailing component of the worm. The worm will create copies of itself with the following filenames in folders that contain the string "shar" in their name: Microsoft Office 2003 Crack, Working!.exe Microsoft Windows XP, WinXP Crack, working Keygen.exe Microsoft Office XP working Crack, Keygen.exe Porno, sex, oral, anal cool, awesome!!.exe Porno Screensaver.scr Serials.txt.exe KAV 5.0 Kaspersky Antivirus 5.0 Porno pics arhive, xxx.exe Windows Sourcecode update.doc.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe W32/Bagle-AA attempts to terminate any of the following processes: OUTPOST.EXE NMAIN.EXE NORTON_INTERNET_SECU_3.0_407.EXE NPF40_TW_98_NT_ME_2K.EXE NPFMESSENGER.EXE NPROTECT.EXE NSCHED32.EXE NTVDM.EXE NVARCH16.EXE KERIO-WRP-421-EN-WIN.EXE KILLPROCESSSETUP161.EXE LDPRO.EXE LOCALNET.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE LSETUP.EXE CLEANPC.EXE AVprotect9x.exe CMGRDIAN.EXE CMON016.EXE CPF9X206.EXE CPFNT206.EXE CV.EXE CWNB181.EXE CWNTDWMO.EXE ICSSUPPNT.EXE DEFWATCH.EXE DEPUTY.EXE DPF.EXE DPFSETUP.EXE DRWATSON.EXE ENT.EXE ESCANH95.EXE AVXQUAR.EXE ESCANHNT.EXE ESCANV95.EXE AVPUPD.EXE EXANTIVIRUS-CNET.EXE FAST.EXE FIREWALL.EXE FLOWPROTECTOR.EXE FP-WIN_TRIAL.EXE FRW.EXE FSAV.EXE AUTODOWN.EXE FSAV530STBYB.EXE FSAV530WTBYB.EXE FSAV95.EXE GBMENU.EXE GBPOLL.EXE GUARD.EXE GUARDDOG.EXE HACKTRACERSETUP.EXE HTLOG.EXE HWPE.EXE IAMAPP.EXE IAMAPP.EXE IAMSERV.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFW2000.EXE IPARMOR.EXE IRIS.EXE JAMMER.EXE ATUPDATER.EXE AUPDATE.EXE KAVLITE40ENG.EXE KAVPERS40ENG.EXE KERIO-PF-213-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE BORG2.EXE BS120.EXE CDP.EXE CFGWIZ.EXE CFIADMIN.EXE CFIAUDIT.EXE AUTOUPDATE.EXE CFINET.EXE NAVAPW32.EXE NAVDX.EXE NAVSTUB.EXE NAVW32.EXE NC2000.EXE NCINST4.EXE AUTOTRACE.EXE NDD32.EXE NEOMONITOR.EXE NETARMOR.EXE NETINFO.EXE NETMON.EXE NETSCANPRO.EXE NETSPYHUNTER-1.2.EXE NETSTAT.EXE NISSERV.EXE NISUM.EXE CFIAUDIT.EXE LUCOMSERVER.EXE AGENTSVR.EXE ANTI-TROJAN.EXE ANTI-TROJAN.EXE ANTIVIRUS.EXE ANTS.EXE APIMONITOR.EXE APLICA32.EXE APVXDWIN.EXE ATCON.EXE ATGUARD.EXE ATRO55EN.EXE ATWATCH.EXE AVCONSOL.EXE AVGSERV9.EXE AVSYNMGR.EXE BD_PROFESSIONAL.EXE BIDEF.EXE BIDSERVER.EXE BIPCP.EXE BIPCPEVALSETUP.EXE BISP.EXE BLACKD.EXE BLACKICE.EXE BOOTWARN.EXE NWINST4.EXE NWTOOL16.EXE OSTRONET.EXE OUTPOSTINSTALL.EXE OUTPOSTPROINSTALL.EXE PADMIN.EXE PANIXK.EXE PAVPROXY.EXE DRWEBUPW.EXE PCC2002S902.EXE PCC2K_76_1436.EXE PCCIOMON.EXE PCDSETUP.EXE PCFWALLICON.EXE PCFWALLICON.EXE PCIP10117_0.EXE PDSETUP.EXE PERISCOPE.EXE PERSFW.EXE PF2.EXE AVLTMAIN.EXE PFWADMIN.EXE PINGSCAN.EXE PLATIN.EXE POPROXY.EXE POPSCAN.EXE PORTDETECTIVE.EXE PPINUPDT.EXE drvsys.exe PPTBC.EXE PPVSTOP.EXE PROCEXPLORERV1.0.EXE PROPORT.EXE PROTECTX.EXE PSPF.EXE WGFE95.EXE WHOSWATCHINGME.EXE AVWUPD32.EXE NUPGRADE.EXE WHOSWATCHINGME.EXE WINRECON.EXE WNT.EXE WRADMIN.EXE WRCTRL.EXE WSBGATE.EXE WYVERNWORKSFIREWALL.EXE XPF202EN.EXE ZAPRO.EXE ZAPSETUP3001.EXE ZATUTOR.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE CLEANER3.EXE CLEANPC.EXE CMGRDIAN.EXE CMON016.EXE CPD.EXE CFGWIZ.EXE CFIADMIN.EXE PURGE.EXE PVIEW95.EXE QCONSOLE.EXE QSERVER.EXE RAV8WIN32ENG.EXE REGEDT32.EXE REGEDIT.EXE UPDATE.EXE RESCUE.EXE RESCUE32.EXE RRGUARD.EXE RSHELL.EXE RTVSCN95.EXE RULAUNCH.EXE SAFEWEB.EXE SBSERV.EXE SD.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SFC.EXE SGSSFW32.EXE SH.EXE SHELLSPYINSTALL.EXE SHN.EXE SMC.EXE SOFI.EXE SPF.EXE SPHINX.EXE SPYXX.EXE SS3EDIT.EXE ST2.EXE SUPFTRL.EXE LUALL.EXE SUPPORTER5.EXE SYMPROXYSVC.EXE SYSEDIT.EXE TASKMON.EXE TAUMON.EXE TAUSCAN.EXE TC.EXE TCA.EXE TCM.EXE TDS2-98.EXE TDS2-NT.EXE TDS-3.EXE TFAK5.EXE TGBOB.EXE TITANIN.EXE TITANINXP.EXE TRACERT.EXE TRJSCAN.EXE TRJSETUP.EXE TROJANTRAP3.EXE UNDOBOOT.EXE VBCMSERV.EXE VBCONS.EXE VBUST.EXE VBWIN9X.EXE VBWINNTW.EXE VCSETUP.EXE VFSETUP.EXE VIRUSMDPERSONALFIREWALL.EXE VNLAN300.EXE VNPC3000.EXE VPC42.EXE VPFW30S.EXE VPTRAY.EXE VSCENU6.02D30.EXE VSECOMR.EXE VSHWIN32.EXE VSISETUP.EXE VSMAIN.EXE VSMON.EXE VSSTAT.EXE VSWIN9XE.EXE VSWINNTSE.EXE VSWINPERSE.EXE W32DSM89.EXE W9X.EXE WATCHDOG.EXE WEBSCANX.EXE CFIAUDIT.EXE CFINET.EXE ICSUPP95.EXE MCUPDATE.EXE CFINET32.EXE CLEAN.EXE CLEANER.EXE LUINIT.EXE MCAGENT.EXE MCUPDATE.EXE MFW2EN.EXE MFWENG3.02D30.EXE MGUI.EXE MINILOG.EXE MOOLIVE.EXE MRFLUX.EXE MSCONFIG.EXE MSINFO32.EXE MSSMMC32.EXE MU0311AD.EXE NAV80TRY.EXE ZAUINST.EXE ZONALM2601.EXE ZONEALARM.EXE W32/Sdbot-BW Aliases Backdoor.SdBot.ma Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Sdbot-BW is a worm and backdoor for the Windows platform. W32/Sdbot-BW attempts to connect to a channel on a remote IRC server and allow a malicious user remote access to the infected computer. In order to run automatically when Windows starts up Troj/Sdbot-BW creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft AUT Update=MSlti32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Microsoft AUT Update=MSlti32.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft AUT Update=MSlti32.exe. W32/Sdbot-BW spreads by exploiting computers with weak passwords, unpatched vulnerabilities and backdoors opened by other worms. The worm may be configured to log the user's keystrokes to a file named k3ys.txt in the Windows system folder. W32/Agobot-JF Aliases Gaobot, Nortonbot, Phatbot, Polybot. Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Agobot-JF is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine. This worm will move itself into the Windows System32 folder under the filename CSASS.EXE and may create the following registry entries so that it can execute automatically on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ WSAConfiguration1 = csass.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ WSAConfiguration1 = csass.exe This worm will also create the following registry branches upon execution: HKLM\SYSTEM\CurrentControlSet\Enum\Root\ LEGACY_WMI_HELPER_SERVICE\ HKLM\SYSTEM\CurrentControlSet\Services\WMI Helper Service\ W32/Agobot-JF may also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment. W32/Agobot-JF may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans. For example: _AVPM _AVPCC _AVP32 ZONEALARM ZONALM2601 ZATUTOR ZAPSETUP3001 ZAPRO XPF202EN WYVERNWORKSFIREWALL WUPDT WUPDATER WSBGATE WRCTRL WRADMIN WNT WNAD WKUFIND WINUPDATE WINTSK32 WINSTART001 WINSTART WINSSK32 WINSERVN WINRECON WINPPR32 WINNET WINMAIN WINLOGIN WININITX WININIT WININETD WINDOWS WINDOW WINACTIVE WIN32US WIN32 WIN-BUGSFIX WIMMUN32 WHOSWATCHINGME WGFE95 WFINDV32 WEBTRAP WEBSCANX WEBDAV WATCHDOG W9X W32DSM89 VSWINPERSE VSWINNTSE VSWIN9XE VSSTAT VSMON VSMAIN VSISETUP VSHWIN32 VSECOMR VSCHED VSCENU6.02D30 VSCAN40 VPTRAY VPFW30S VPC42 VPC32 VNPC3000 VNLAN300 VIRUSMDPERSONALFIREWALL VIR-HELP VFSETUP VETTRAY VET95 VET32 VCSETUP VBWINNTW VBWIN9X VBUST VBCONS VBCMSERV UTPOST UPGRAD UPDAT UNDOBOOT TVTMD TVMD TSADBOT TROJANTRAP3 TRJSETUP TRJSCAN TRICKLER TRACERT TITANINXP TITANIN TGBOB TFAK5 TFAK TEEKIDS TDS2-NT TDS2-98 TDS-3 TCM TCA TC TBSCAN TAUMON TASKMON TASKMO TASKMG SYSUPD SYSTEM32 SYSTEM SYSEDIT SYMTRAY SYMPROXYSVC SWEEPNET.SWEEPSRV.SYS.SWNETSUP SWEEP95 SVSHOST SVCHOSTS SVCHOSTC SVC SUPPORTER5 SUPPORT SUPFTRL STCLOADER START ST2 SSGRATE SS3EDIT SRNG SREXE SPYXX SPOOLSV32 SPOOLCV SPOLER SPHINX SPF SPERM SOFI SOAP SMSS32 SMS SMC SHOWBEHIND SHN UPDATE SHELLSPYINSTALL SH SGSSFW32 SFC SETUP_FLOWPROTECTOR_US SETUPVAMEEVAL SERVLCES SERVLCE SERVICE SERV95 SD SCVHOST SCRSVR SCRSCAN SCANPM SCAN95 SCAN32 SCAM32 SC SBSERV SAVENOW SAVE SAHAGENT SAFEWEB RUXDLL32 RUNDLL16 RUNDLL RUN32DLL RULAUNCH RTVSCN95 RTVSCAN RSHELL RRGUARD RESCUE32 RESCUE REGEDT32 REGEDIT REGED REALMON RCSYNC RB32 RAY RAV8WIN32ENG RAV7WIN RAV7 RAPAPP QSERVER QCONSOLE PVIEW95 PUSSY PURGE PSPF PROTECTX PROPORT PROGRAMAUDITOR PROCEXPLORERV1.0 PROCESSMONITOR PROCDUMP PRMVR PRMT PRIZESURFER PPVSTOP PPTBC PPINUPDT POWERSCAN PORTMONITOR PORTDETECTIVE POPSCAN POPROXY POP3TRAP PLATIN PINGSCAN PGMONITR PFWADMIN PF2 PERSWF PERSFW PERISCOPE PENIS PDSETUP PCSCAN PCFWALLICON PCDSETUP PCCWIN98 PCCWIN97 PCCNTMON PCCIOMON PAVW PAVSCHED PAVPROXY PAVCL PATCH PANIXK PADMIN OUTPOSTPROINSTALL OUTPOSTINSTALL OTFIX OSTRONET OPTIMIZE ONSRVR OLLYDBG NWTOOL16 NWSERVICE NWINST4 NVSVC32 NVC95 NVARCH16 NUI NTXconfig NTVDM NTRTSCAN NT NSUPDATE NSTASK32 NSSYS32 NSCHED32 NPSSVC NPSCHECK NPROTECT NPFMESSENGER NPF40_TW_98_NT_ME_2K NOTSTART NORTON_INTERNET_SECU_3.0_407 NORMIST NOD32 NMAIN NISUM NISSERV NETUTILS NETSTAT NETSPYHUNTER-1.2 NETSCANPRO NETMON NETINFO NETD32 NETARMOR NEOWATCHLOG NEOMONITOR NDD32 NCINST4 NAVWNT NAVW32 NAVSTUB NAVNT NAVLU32 NAVENGNAVEX15.NAVLU32 NAVDX NAVAPW32 NAVAPSVC NAVAP.NAVAPSVC AUTO-PROTECT.NAV80TRY NAV OUTPOST NUPGRADE N32SCANW MWATCH MU0311AD MSVXD MSSYS MSSMMC32 MSMSGRI32 MSMGT MSLAUGH MSINFO32 MSIEXEC16 MSDOS MSDM MSCONFIG MSCMAN MSCCN32 MSCACHE MSBLAST MSBB MSAPP MRFLUX MPFTRAY MPFSERVICE MPFAGENT MOSTAT MOOLIVE MONITOR MMOD MINILOG MGUI MGHTML MGAVRTE MGAVRTCL MFWENG3.02D30 MFW2EN MFIN32 MD MCVSSHLD MCVSRTE MCTOOL MCSHIELD MCMNHDLR MCAGENT MAPISVC32 LUSPT LUINIT LUCOMSERVER LUAU LSETUP LORDPE LOOKOUT LOCKDOWN2000 LOCKDOWN LOCALNET LOADER LNETINFO LDSCAN LDPROMENU LDPRO LDNETMON LAUNCHER KILLPROCESSSETUP161 KERNEL32 KERIO-WRP-421-EN-WIN KERIO-WRL-421-EN-WIN KERIO-PF-213-EN-WIN KEENVALUE KAZZA KAVPF KAVPERS40ENG KAVLITE40ENG JEDI JDBGMRG JAMMER ISTSVC MCUPDATE LUALL ISRV95 ISASS IRIS IPARMOR IOMON98 INTREN INTDEL INIT INFWIN INFUS INETLNFO IFW2000 IFACE IEXPLORER IEDRIVER IEDLL IDLE ICSUPPNT ICMON ICLOADNT ICLOAD95 IBMAVSP IBMASN IAMSTATS IAMSERV IAMAPP HXIUL HXDL HWPE HTPATCH HTLOG HOTPATCH HOTACTIO HBSRV HBINST HACKTRACERSETUP GUARDDOG GUARD GMT GENERICS GBPOLL GBMENU GATOR FSMB32 FSMA32 FSM32 FSGK32 FSAV95 FSAV530WTBYB FSAV530STBYB FSAV32 FSAV FSAA FRW FPROT FP-WIN_TRIAL FP-WIN FNRB32 FLOWPROTECTOR FIREWALL FINDVIRU FIH32 FCH32 FAST FAMEH32 F-STOPW F-PROT95 F-PROT F-AGNT95 EXPLORE EXPERT EXE.AVXW EXANTIVIRUS-CNET EVPN ETRUSTCIPE ETHEREAL ESPWATCH ESCANV95 ICSUPP95 ESCANHNT ESCANH95 ESAFE ENT EMSW EFPEADM ECENGINE DVP95_0 DVP95 DSSAGENT DRWEBUPW DRWEB32 DRWATSON DPPS2 DPFSETUP DPF DOORS DLLREG DLLCACHE DIVX DEPUTY DEFWATCH DEFSCANGUI DEFALERT DCOMX DATEMANAGER Claw95 CWNTDWMO CWNB181 CV CTRL CPFNT206 CPF9X206 CPD CONNECTIONMONITOR CMON016 CMGRDIAN CMESYS CMD32 CLICK CLEANPC CLEANER3 CLEANER CLEAN CFINET32 CFINET CFIADMIN CFGWIZ CFD CDP CCPXYSVC CCEVTMGR CCAPP BVT BUNDLE BS120 BRASIL BPC BORG2 BOOTWARN BOOTCONF BLSS BLACKICE BLACKD BISP BIPCPEVALSETUP BIPCP BIDSERVER BIDEF BELT BEAGLE BD_PROFESSIONAL BARGAINS BACKWEB CLAW95CF CFIAUDIT AVXMONITORNT AVXMONITOR9X AVWUPSRV AVWUPD AVWINNT AVWIN95 AVSYNMGR AVSCHED32 AVPTC32 AVPM AVPDOS32 AVPCC AVP32 AVP AVNT AVLTMAIN AVKWCTl9 AVKSERVICE AVKSERV AVKPOP AVGW AVGUARD AVGSERV9 AVGSERV AVGNT AVGCTRL AVGCC32 AVE32 AVCONSOL AU ATWATCH ATRO55EN ATGUARD ATCON ARR APVXDWIN APLICA32 APIMONITOR ANTS ANTIVIRUS ANTI-TROJAN AMON9X ALOGSERV ALEVIR ALERTSVC AGENTW AGENTSVR ADVXDWIN ADAWARE AVXQUAR ACKWIN32 AVWUPD32 AVPUPD AUTOUPDATE AUTOTRACE AUTODOWN AUPDATE ATUPDATER W32/Agobot-JF may also be used to terminate the following services on remote computers: Themes srservice wuauserv WZCSVC winmgmt WebClient W32Time upnphost uploadmgr TrkWks TermService TapiSrv stisvc SSDPSRV Spooler ShellHWDetection SENS seclogon Schedule SamSs RpcSs RasMan ProtectedStorage PolicyAgent PlugPlay Nla Netman Messenger MDM LmHosts lanmanworkstation lanmanserver helpsvc FastUserSwitchingCompatibility EventSystem Eventlog ERSvc Dnscache dmserver Dhcp CryptSvc Browser AudioSrv Ati HotKey Poller W32/Agobot-JF may search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS in C:\\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites. For example: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com W32/Agobot-JF can sniff HTTP, ICMP, FTP and IRC network traffic and steal data from them. The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys: Remote Procedure Call (RPC) vulnerability. Distributed Component Object Model (DCOM) vulnerability. RPC Locator vulnerability. IIS5/WEBDAV Buffer Overflow vulnerability. For more information about these Windows vulnerabilities, please refer to the following Microsoft Security Bulletins: Microsoft Security Bulletin MS03-001 Microsoft Security Bulletin MS03-007 Microsoft Security Bulletin MS03-039 W32/Agobot-JF can also share / delete the admin$, ipc$ etc drives. It can also test the available bandwidth by attempting to GET or POST data to the following websites: yahoo.co.jp www.nifty.com www.d1asia.com www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.above.net www.level3.com nitro.ucsc.edu www.burst.net www.cogentco.com www.rit.edu www.nocster.com www.verio.com www.stanford.edu www.xo.net de.yahoo.com www.belwue.de www.switch.ch www.1und1.de verio.fr www.utwente.nl www.schlund.net W32/Agobot-JF can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems. This worm can steal the Windows Product ID and keys from several computer applications or games including: AOL Instant Messenger Battlefield 1942 Battlefield 1942: Secret Weapons Of WWII Battlefield 1942: The Road To Rome Battlefield 1942: Vietnam Black and White Call of Duty Command and Conquer: Generals Command and Conquer: Generals: Zero Hour Command and Conquer: Red Alert2 Command and Conquer: Tiberian Sun Counter-Strike FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden and Dangerous 2 Industry Giant 2 IGI2: Covert Strike James Bond 007: Nightfire Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 NHL 2002 NHL 2003 Need For Speed: Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights Ravenshield Shogun Total War - Warlord Edition Soldiers Of Anarchy Soldier of Fortune II - Double Helix The Gladiators Unreal Tournament 2003 Unreal Tournament 2004 Windows Messenger W32/Rbot-T Aliases Backdoor.Rbot.gen, W32/Sdbot.worm.gen.h Type Win32 worm Detection Sophos has received several reports of this worm from the wild. Description W32/Rbot-T is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Rbot-T spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. W32/Rbot-T copies itself to the Windows system folder as NAVSCAN64.EXE and creates entries at the following locations in the registry so as to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\Run W32/Rbot-T may set the following registry entries: HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N" HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" W32/Rbot-T may try to delete the C$, D$, E$, IPC$ and ADMIN$ network shares on the host computer. W32/Rbot-T may also try to log keystrokes and window text to a file called DEBUG.TXT in the Windows system folder. W32/Francette-K Aliases Worm.Win32.Francette.l, W32/Tumbi.worm.gen.b, W32.Francette.Worm, WORM_FRANCETTE.L Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Francette-K is a backdoor Trojan and a worm that attempts to spread by exploiting vulnerabilties and backdoors left by members of the W32/Mydoom family of worms. W32/Francette-K may spread to vulnerable computers by taking advantage of the DCOM RPC vulnerability (MS03-026). W32/Francette-K allows a malicious user remote access to an infected computer. The worm drops a dll file lol.dll which is used to capture user keystrokes which may be sent to the attackers email account. Lol.dll is detected by Sophos Anti-Virus as W32/Francette-I. W32/Francette-K may connect to an IRC server and provide backdoor access via IRC channels. In order to run automatically when Windows starts up W32/Francette-K creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft IIS Troj/Adtoda-A Type Trojan Detection At the time of writing, Sophos has received just one report of this Trojan from the wild. Description Troj/Adtoda-A is a backdoor Trojan. When first run, Troj/Adtoda-A will display the following two messages: "Setup was not able to continue the installation. An illegal copy of Windows Operating System was detected on this computer. The computer informations is already collect and will be post as this computer name: (name of machine)" "The operating system will not work properly before you get a permission after you complete the penalty! For any detail informations, Please contact the following link: http:\\www.microsoft.com\~msproduct\~watch\~piracy10 \secureID=OS_wiNver_532Fg32_ap12nt04A" After the user clicks "OK" on both of these messages, Troj/Adtoda-A installs itself and activates the payload. This inverts the screen and freezes the machine so that is needs to be rebooted. In order to run automatically when Windows starts up the Trojan creates the file C:\Windows\system\winupd32.exe and the shortcut C:\Windows\Start Menu\Programs\StartUp\System Update Service.lnk pointing to it. These files will cause the payload to be run again on system boot. Troj/Adtoda-A also attempts to modify C:\boot.ini to prevent debugging. Troj/StartPa-AE Aliases Trojan.WinREG.StartPage Type Trojan Detection At the time of writing, Sophos has received just one report of this Trojan from the wild. Description Troj/StartPa-AE changes browser settings for Microsoft Internet Explorer each time Windows is started. Troj/StartPa-AE is simply a text file (typically named sysdll.reg) which can be used as an input to Regedit to set the following registry entries: HKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar HKCU\Software\Microsoft\Internet Explorer\Main\Search Page HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant HKLM\Software\Microsoft\Internet Explorer\Main\Start Page HKLM\Software\Microsoft\Internet Explorer\Main\HOMEOldSP HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar HKLM\Software\Microsoft\Internet Explorer\Main\Search Page HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ sys = "regedit -s sysdll.reg" The last of these registry entries causes the registry to be updated using Troj/StartPa-AE each time Windows is started. Troj/StartPa-AE may be installed on the computer by Troj/AdClick-AE. Troj/Inor-I Type Trojan Detection At the time of writing, Sophos has received just one report of this Trojan from the wild. Description Troj/Inor-I is a script file which attempts to drop and execute Troj/Multidr-P. Troj/Sdbot-BI Aliases Backdoor.SdBot.kd, W32/Spybot.worm.gen.b, Win32/SpyBot.WW, Backdoor.IRC.Bot Type Trojan Detection At the time of writing, Sophos has received just one report of this Trojan from the wild. Description Troj/SdBot-BI is an IRC backdoor Trojan which allows unauthorised access and control of the computer from IRC channels. Upon execution Troj/SdBot-BI displays the fake error message "'Error-38427 A valid dll file was not found, Windows is now deleting file." In order to run automatically when Windows starts up the Trojan copies itself to the file mmsnmessengerupdate.exe in the Windows system folder and adds the following registry entry to ensure it is started on computer logon: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ svshostdriver = msnmessengerupdate.exe W32/Agobot-JA Aliases Backdoor.Agobot.mw, W32/Gaobot.worm.gen.e, Win32/Agobot.3.T, W32.HLLW.Gaobot.gen, WORM_AGOBOT.MW Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Agobot-JA is a backdoor Trojan and worm which spreads to computers protected by weak passwords and to computers infected with variants of W32/MyDoom. When first run, W32/Agobot-JA moves itself to the Windows system folder as lmss.exe and creates the following registry entries to run itself on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Windows Login= lmss.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ Windows Login= lmss.exe W32/Agobot-JA also sets itself up as a windows service, with the service name "Windows Login". The Trojan hides all files whose filenames begin with "sound". Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel. The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. The Trojan attempts to terminate and disable various anti-virus and security- related programs and modifies the HOSTS file, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. The HOSTS file is located at %WINDOWS%\System32\Drivers\etc\HOSTS. W32/Agobot-JB Aliases Gaobot, Nortonbot, Phatbot, Polybot. Type Win32 worm Detection At the time of writing, Sophos has received just one report of this worm from the wild. Description W32/Agobot-JB is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine. This worm will move itself into the Windows System32 folder under the filename WINS32.EXE and may create the following registry entries so that it can execute automatically on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Tsk Mng Hlp = wins32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Tsk Mng Hlp = wins32.exe This worm will also create the following registry branches: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TSKMNGHLP\ HKLM\SYSTEM\CurrentControlSet\Services\TskMngHlp\ W32/Agobot-JB may also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment. W32/Agobot-JB may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans. For example: _AVPM _AVPCC _AVP32 ZONEALARM ZONALM2601 ZATUTOR ZAPSETUP3001 ZAPRO XPF202EN WYVERNWORKSFIREWALL WUPDT WUPDATER WSBGATE WRCTRL WRADMIN WNT WNAD WKUFIND WINUPDATE WINTSK32 WINSTART001 WINSTART WINSSK32 WINSERVN WINRECON WINPPR32 WINNET WINMAIN WINLOGIN WININITX WININIT WININETD WINDOWS WINDOW WINACTIVE WIN32US WIN32 WIN-BUGSFIX WIMMUN32 WHOSWATCHINGME WGFE95 WFINDV32 WEBTRAP WEBSCANX WEBDAV WATCHDOG W9X W32DSM89 VSWINPERSE VSWINNTSE VSWIN9XE VSSTAT VSMON VSMAIN VSISETUP VSHWIN32 VSECOMR VSCHED VSCENU6.02D30 VSCAN40 VPTRAY VPFW30S VPC42 VPC32 VNPC3000 VNLAN300 VIRUSMDPERSONALFIREWALL VIR-HELP VFSETUP VETTRAY VET95 VET32 VCSETUP VBWINNTW VBWIN9X VBUST VBCONS VBCMSERV UTPOST UPGRAD UPDAT UNDOBOOT TVTMD TVMD TSADBOT TROJANTRAP3 TRJSETUP TRJSCAN TRICKLER TRACERT TITANINXP TITANIN TGBOB TFAK5 TFAK TEEKIDS TDS2-NT TDS2-98 TDS-3 TCM TCA TC TBSCAN TAUMON TASKMON TASKMO TASKMG SYSUPD SYSTEM32 SYSTEM SYSEDIT SYMTRAY SYMPROXYSVC SWEEPNET.SWEEPSRV.SYS.SWNETSUP SWEEP95 SVSHOST SVCHOSTS SVCHOSTC SVC SUPPORTER5 SUPPORT SUPFTRL STCLOADER START ST2 SSG_4104 SSGRATE SS3EDIT SRNG SREXE SPYXX SPOOLSV32 SPOOLCV SPOLER SPHINX SPF SPERM SOFI SOAP SMSS32 SMS SMC SHOWBEHIND SHN UPDATE SHELLSPYINSTALL SH SGSSFW32 SFC SETUP_FLOWPROTECTOR_US SETUPVAMEEVAL SERVLCES SERVLCE SERVICE SERV95 SD SCVHOST SCRSVR SCRSCAN SCANPM SCAN95 SCAN32 SCAM32 SC SBSERV SAVENOW SAVE SAHAGENT SAFEWEB RUXDLL32 RUNDLL16 RUNDLL RUN32DLL RULAUNCH RTVSCN95 RTVSCAN RSHELL RRGUARD RESCUE32 RESCUE REGEDT32 REGEDIT REGED REALMON RCSYNC RB32 RAY RAV8WIN32ENG RAV7WIN RAV7 RAPAPP QSERVER QCONSOLE PVIEW95 PUSSY PURGE PSPF PROTECTX PROPORT PROGRAMAUDITOR PROCEXPLORERV1.0 PROCESSMONITOR PROCDUMP PRMVR PRMT PRIZESURFER PPVSTOP PPTBC PPINUPDT POWERSCAN PORTMONITOR PORTDETECTIVE POPSCAN POPROXY POP3TRAP PLATIN PINGSCAN PGMONITR PFWADMIN PF2 PERSWF PERSFW PERISCOPE PENIS PDSETUP PCSCAN PCIP10117_0 PCFWALLICON PCDSETUP PCCWIN98 PCCWIN97 PCCNTMON PCCIOMON PCC2K_76_1436 PCC2002S902 PAVW PAVSCHED PAVPROXY PAVCL PATCH PANIXK PADMIN OUTPOSTPROINSTALL OUTPOSTINSTALL OTFIX OSTRONET OPTIMIZE ONSRVR OLLYDBG NWTOOL16 NWSERVICE NWINST4 NVSVC32 NVC95 NVARCH16 NUI NTXconfig NTVDM NTRTSCAN NT NSUPDATE NSTASK32 NSSYS32 NSCHED32 NPSSVC NPSCHECK NPROTECT NPFMESSENGER NPF40_TW_98_NT_ME_2K NOTSTART NORTON_INTERNET_SECU_3.0_407 NORMIST NOD32 NMAIN NISUM NISSERV NETUTILS NETSTAT NETSPYHUNTER-1.2 NETSCANPRO NETMON NETINFO NETD32 NETARMOR NEOWATCHLOG NEOMONITOR NDD32 NCINST4 NC2000 NAVWNT NAVW32 NAVSTUB NAVNT NAVLU32 NAVENGNAVEX15.NAVLU32 NAVDX NAVAPW32 NAVAPSVC NAVAP.NAVAPSVC AUTO-PROTECT.NAV80TRY NAV OUTPOST NUPGRADE N32SCANW MWATCH MU0311AD MSVXD MSSYS MSSMMC32 MSMSGRI32 MSMGT MSLAUGH MSINFO32 MSIEXEC16 MSDOS MSDM MSCONFIG MSCMAN MSCCN32 MSCACHE MSBLAST MSBB MSAPP MRFLUX MPFTRAY MPFSERVICE MPFAGENT MOSTAT MOOLIVE MONITOR MMOD MINILOG MGUI MGHTML MGAVRTE MGAVRTCL MFWENG3.02D30 MFW2EN MFIN32 MD MCVSSHLD MCVSRTE MCTOOL MCSHIELD MCMNHDLR MCAGENT MAPISVC32 LUSPT LUINIT LUCOMSERVER LUAU LSETUP LORDPE LOOKOUT LOCKDOWN2000 LOCKDOWN LOCALNET LOADER LNETINFO LDSCAN LDPROMENU LDPRO LDNETMON LAUNCHER KILLPROCESSSETUP161 KERNEL32 KERIO-WRP-421-EN-WIN KERIO-WRL-421-EN-WIN KERIO-PF-213-EN-WIN KEENVALUE KAZZA KAVPF KAVPERS40ENG KAVLITE40ENG JEDI JDBGMRG JAMMER ISTSVC MCUPDATE LUALL ISRV95 ISASS IRIS IPARMOR IOMON98 INTREN INTDEL INIT INFWIN INFUS INETLNFO IFW2000 IFACE IEXPLORER IEDRIVER IEDLL IDLE ICSUPPNT ICMON ICLOADNT ICLOAD95 IBMAVSP IBMASN IAMSTATS IAMSERV IAMAPP HXIUL HXDL HWPE HTPATCH HTLOG HOTPATCH HOTACTIO HBSRV HBINST HACKTRACERSETUP GUARDDOG GUARD GMT GENERICS GBPOLL GBMENU GATOR FSMB32 FSMA32 FSM32 FSGK32 FSAV95 FSAV530WTBYB FSAV530STBYB FSAV32 FSAV FSAA FRW FPROT FP-WIN_TRIAL FP-WIN FNRB32 FLOWPROTECTOR FIREWALL FINDVIRU FIH32 FCH32 FAST FAMEH32 F-STOPW F-PROT95 F-PROT F-AGNT95 EXPLORE EXPERT EXE.AVXW EXANTIVIRUS-CNET EVPN ETRUSTCIPE ETHEREAL ESPWATCH ESCANV95 ICSUPP95 ESCANHNT ESCANH95 ESAFE ENT EMSW EFPEADM ECENGINE DVP95_0 DVP95 DSSAGENT DRWEBUPW DRWEB32 DRWATSON DPPS2 DPFSETUP DPF DOORS DLLREG DLLCACHE DIVX DEPUTY DEFWATCH DEFSCANGUI DEFALERT DCOMX DATEMANAGER Claw95 CWNTDWMO CWNB181 CV CTRL CPFNT206 CPF9X206 CPD CONNECTIONMONITOR CMON016 CMGRDIAN CMESYS CMD32 CLICK CLEANPC CLEANER3 CLEANER CLEAN CFINET32 CFINET CFIADMIN CFGWIZ CFD CDP CCPXYSVC CCEVTMGR CCAPP BVT BUNDLE BS120 BRASIL BPC BORG2 BOOTWARN BOOTCONF BLSS BLACKICE BLACKD BISP BIPCPEVALSETUP BIPCP BIDSERVER BIDEF BELT BEAGLE BD_PROFESSIONAL BARGAINS BACKWEB CLAW95CF CFIAUDIT AVXMONITORNT AVXMONITOR9X AVWUPSRV AVWUPD AVWINNT AVWIN95 AVSYNMGR AVSCHED32 AVPTC32 AVPM AVPDOS32 AVPCC AVP32 AVP AVNT AVLTMAIN AVKWCTl9 AVKSERVICE AVKSERV AVKPOP AVGW AVGUARD AVGSERV9 AVGSERV AVGNT AVGCTRL AVGCC32 AVE32 AVCONSOL AU ATWATCH ATRO55EN ATGUARD ATCON ARR APVXDWIN APLICA32 APIMONITOR ANTS ANTIVIRUS ANTI-TROJAN AMON9X ALOGSERV ALEVIR ALERTSVC AGENTW AGENTSVR ADVXDWIN ADAWARE AVXQUAR ACKWIN32 AVWUPD32 AVPUPD AUTOUPDATE AUTOTRACE AUTODOWN AUPDATE ATUPDATER W32/Agobot-JB may also be used to terminate the following services on remote computers: Themes srservice wuauserv WZCSVC winmgmt WebClient W32Time upnphost uploadmgr TrkWks TermService TapiSrv stisvc SSDPSRV Spooler ShellHWDetection SENS seclogon Schedule SamSs RpcSs RasMan ProtectedStorage PolicyAgent PlugPlay Nla Netman Messenger MDM LmHosts lanmanworkstation lanmanserver helpsvc FastUserSwitchingCompatibility EventSystem Eventlog ERSvc Dnscache dmserver Dhcp CryptSvc Browser AudioSrv Ati HotKey Poller W32/Agobot-JB may search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS in C:\\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites. For example: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com W32/Agobot-JB can sniff HTTP, VULN, ICMP, FTP and IRC network traffic and steal data from them. The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys: Remote Procedure Call (RPC) vulnerability. Distributed Component Object Model (DCOM) vulnerability. RPC Locator vulnerability. IIS5/WEBDAV Buffer Overflow vulnerability. For more information about these Windows vulnerabilities, please refer to the following Microsoft Security Bulletins: Microsoft Security Bulletin MS03-001 Microsoft Security Bulletin MS03-007 Microsoft Security Bulletin MS03-039 W32/Agobot-JB can also polymorph on installation in order to evade detection and share / delete the admin$, ipc$ etc drives. It can also test the available bandwidth by attempting to GET or POST data to the following websites: yahoo.co.jp www.nifty.com www.d1asia.com www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.above.net www.level3.com nitro.ucsc.edu www.burst.net www.cogentco.com www.rit.edu www.nocster.com www.verio.com www.stanford.edu www.xo.net de.yahoo.com www.belwue.de www.switch.ch www.1und1.de verio.fr www.utwente.nl www.schlund.net W32/Agobot-JB can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems. This worm can steal the Windows Product ID and keys from several computer applications or games including: AOL Instant Messenger Battlefield 1942 Battlefield 1942: Secret Weapons Of WWII Battlefield 1942: The Road To Rome Battlefield 1942: Vietnam Black and White Call of Duty Command and Conquer: Generals Command and Conquer: Generals: Zero Hour Command and Conquer: Red Alert2 Command and Conquer: Tiberian Sun Counter-Strike FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden and Dangerous 2 Industry Giant 2 IGI2: Covert Strike James Bond 007: Nightfire Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 NHL 2002 NHL 2003 Need For Speed: Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights Ravenshield Shogun Total War - Warlord Edition Soldiers Of Anarchy Soldier of Fortune II - Double Helix The Gladiators Unreal Tournament 2003 Unreal Tournament 2004 Windows Messenger W32/Agobot-JB will delete all files named 'sound*.*'. Troj/Dloader-IU Type Trojan Detection Sophos has received several reports of this Trojan from the wild. Description Troj/Dloader-IU is a downloader Trojan that copies a file from the website technalytics.net to a file in the Windows system folder named TMPFLE.EXE and executes it. Troj/Dloader-IU then attemps to delete itself by dropping and executing a file called A.BAT. --- MultiMail/Win32 v0.43* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140) SEEN-BY: 633/267 270 @PATH: 123/140 500 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.