WORM_AGOBOT.A3

Malware type: Worm

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, NT, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memoryresident malware has both worm and backdoor capabilities.

Like earlier AGOBOT variants, this worm also exploits the following Windows vulnerabilities to propagate across the network:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability on Windows 2000 and XP
  • RPC locator vulnerability on Windows NT, 2000, and XP
  • Buffer Overrun vulnerability in IIS 5.0/WebDav

Additional information regarding these vulnerabilities are available at the following Microsoft pages:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007

This malware propagates via network shares. It also connects to an Internet Relay Chat (IRC) channel and waits for commands from a malicious user to be issued on the target machine.

It also has the capability to steal the Windows Product ID and CD Keys of popular computer games, and terminate a long list of known security software products.

It runs on Windows 2000 and XP.

For additional information about this threat, see:

Description created: Nov. 25, 2003 11:29:02 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 62,416 Bytes

Initial samples received on: Nov 25, 2003

Details:

Installation

Upon execution, this memory-resident worm drops a copy of itself as WINCFFG.EXE in the Windows system folder.

Then, it adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
"Configuration Loader"="wincffg.exe�

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Runservices
"Configuration Loader"="wincffg.exe�

It also registers itself as a service on Windows 2000, NT, and XP systems by creating the following registry key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\a3

Network Propagation

To propagate, this worm exploits the following system vulnerabilities to look for target systems to infect:

This worm also attempts to gain access to the following shared folders on the network:

  • admin$
  • c$
  • d$
  • e$
  • print$

    If there is restricted access to these folders, this worm attempts to gain access by trying to log in using the following user names and passwords:

    Usernames:

    • admin
    • administrador
    • Administrador
    • Administrat
    • Administrateur
    • administrator
    • Administrator
    • admins
    • computer
    • Convidado
    • Coordinatore
    • database
    • Default
    • Guest
    • Inviter
    • kanri
    • kanri-sha
    • mysql
    • Ospite
    • owner
    • Owner
    • OWNER
    • server
    • Standard
    • student
    • teacher
    • Verwalter
    • Wwwadmin

    Passwords:

    • 000000
    • 00000000
    • 111111
    • 11111111
    • 121212
    • 123123
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234qwer
    • 123abc
    • 123asd
    • 123qwe
    • 54321
    • 654321
    • 88888888
    • abc123
    • Admin
    • admin123
    • alpha
    • asdfghjkl
    • changeme
    • enable
    • foobar
    • godblessyou
    • homework
    • ihavenopass
    • Internet
    • Login
    • metal
    • mybaby
    • mybox
    • mypass
    • oracle
    • passwd
    • password
    • Password
    • password123
    • patrick
    • penis
    • poiuytrewq
    • private
    • pussy
    • qwerty
    • qwertyuiop
    • red123
    • school
    • secret
    • secrets
    • super
    • superman
    • supersecret
    • sybase
    • test123
    • vagina
    • werty
    • xxyyzz
    • zxcvbnm

    After successfully accessing the target system (either through the vulnerabilities or the shared folders), this worm copies itself to the compromised machine and executes itself.

    Backdoor Capabilities

    This worm connects to a predefined Internet Relay Chat (IRC) channel and listens for commands from a remote malicious user. It allows the remote malicious user to control the compromised system. The malware is capable of performing various actions, some of the more notable once are:

    • Steal system information (CPU, RAM, OS, etc)
    • Manipulate files
    • Manipulate autostart entries
    • Manipulate services
    • Manipulate processes
    • Upload/download files
    • Reboot/Shutdown computer

    The malware is also capable of stealing CD keys from the following applications:

    • Battlefield 1942
    • Battlefield 1942: Secret Weapons of WWII
    • Battlefield 1942: The Road to Rome
    • Chrome
    • Command & Conquer Generals
    • Counter-Strike
    • FIFA 2002
    • FIFA 2003
    • Half-Life
    • Hidden and Dangerous 2
    • Legends of Might and Magic
    • Nascar Racing 2002
    • Nascar Racing 2003
    • Need For Speed: Hot Pursuit 2
    • Neverwinter Nights
    • NHL 2002
    • NHL 2003
    • NOX
    • Project IGI 2
    • Red Alert
    • Red Alert 2
    • Soldier of Fortune 2
    • The Gladiators
    • Tiberian Sun
    • Unreal Tournament 2003
    • Windows

    The malware can also terminate the following process, these are file names of other malwares:

    • dllhost.exe
    • msblast.exe
    • mspatch.exe
    • penis32.exe
    • tftpd.exe
    • winhlpp32.exe
    • winppr32.exe

    Antivirus Retaliation

    This worm terminates the following programs, which are mostly associated with antivirus products, firewall programs and system tools:

    • _avp32.exe
    • _avpcc.exe
    • _avpm.exe
    • ackwin32.exe
    • advxdwin.exe
    • agentsvr.exe
    • agentw.exe
    • alertsvc.exe
    • alogserv.exe
    • amon9x.exe
    • anti-trojan.exe
    • antivirus.exe
    • ants.exe
    • apimonitor.exe
    • aplica32.exe
    • apvxdwin.exe
    • atcon.exe
    • atguard.exe
    • atro55en.exe
    • atupdater.exe
    • atwatch.exe
    • aupdate.exe
    • autodown.exe
    • autotrace.exe
    • autoupdate.exe
    • avconsol.exe
    • ave32.exe
    • avgcc32.exe
    • avgctrl.exe
    • avgnt.exe
    • avgserv.exe
    • avgserv9.exe
    • avguard.exe
    • avgw.exe
    • avkpop.exe
    • avkserv.exe
    • avkservice.exe
    • avkwctl9.exe
    • avnt.exe
    • avp.exe
    • avp32.exe
    • avpcc.exe
    • avpdos32.exe
    • avpm.exe
    • avptc32.exe
    • avpupd.exe
    • avsched32.exe
    • avsynmgr.avsynmgr.exe
    • avwin95.exe
    • avwinnt.exe
    • avwupd32.exe
    • avwupsrv.exe
    • avxmonitor9x.exe
    • avxmonitornt.exe
    • avxquar.exe
    • bd_professional.exe
    • bidef.exe
    • bidserver.exe
    • bipcp.exe
    • bipcpevalsetup.exe
    • bisp.exe
    • blackd.exe
    • blackice.exe
    • bootwarn.exe
    • borg2.exe
    • bs120.exe
    • ccapp.exe
    • ccevtmgr.exe
    • ccpxysvc.exe
    • cdp.exe
    • cfgwiz.exe
    • cfiadmin.exe
    • cfiaudit.exe
    • cfinet.exe
    • cfinet32.exe
    • claw95.exe
    • claw95cf.exe
    • clean.exe
    • cleaner.exe
    • cleaner3.exe
    • cleanpc.exe
    • cmgrdian.exe
    • cmon016.exe
    • connectionmonitor.exe
    • cpd.exe
    • cpf9x206.exe
    • cpfnt206.exe
    • ctrl.exe
    • cv.exe
    • cwnb181.exe
    • cwntdwmo.exe
    • defalert.exe
    • defscangui.exe
    • defwatch.exe
    • deputy.exe
    • doors.exe
    • dpf.exe
    • dpfsetup.exe
    • drwatson.exe
    • drweb32.exe
    • dvp95.exe
    • dvp95_0.exe
    • ecengine.exe
    • efpeadm.exe
    • ent.exe
    • esafe.exe
    • escanh95.exe
    • escanhnt.exe
    • escanv95.exe
    • espwatch.exe
    • etrustcipe.exe
    • evpn.exe
    • exantivirus-cnet.exe
    • exe.avxw.exe
    • expert.exe
    • f-agnt95.exe
    • fameh32.exe
    • fast.exe
    • fch32.exe
    • fih32.exe
    • findviru.exe
    • firewall.exe
    • flowprotector.exe
    • fnrb32.exe
    • fprot.exe
    • f-prot.exe
    • f-prot95.exe
    • fp-win.exe
    • fp-win_trial.exe
    • frw.exe
    • fsaa.exe
    • fsav.exe
    • fsav32.exe
    • fsav530stbyb.exe
    • fsav530wtbyb.exe
    • fsav95.exe
    • fsgk32.exe
    • fsm32.exe
    • fsma32.exe
    • fsmb32.exe
    • f-stopw.exe
    • gbmenu.exe
    • gbpoll.exe
    • generics.exe
    • guard.exe
    • guarddog.exe
    • hacktracersetup.exe
    • htlog.exe
    • hwpe.exe
    • iamapp.exe
    • iamserv.exe
    • iamstats.exe
    • ibmasn.exe
    • ibmavsp.exe
    • icload95.exe
    • icloadnt.exe
    • icmon.exe
    • icsupp95.exe
    • icsuppnt.exe
    • iface.exe
    • ifw2000.exe
    • iomon98.exe
    • iparmor.exe
    • iris.exe
    • isrv95.exe
    • jammer.exe
    • jedi.exe
    • kavlite40eng.exe
    • kavpers40eng.exe
    • kavpf.exe
    • kerio-pf-213-en-win.exe
    • kerio-wrl-421-en-win.exe
    • kerio-wrp-421-en-win.exe
    • killprocesssetup161.exe
    • ldnetmon.exe
    • ldpro.exe
    • ldpromenu.exe
    • ldscan.exe
    • localnet.exe
    • lockdown.exe
    • lockdown2000.exe
    • lookout.exe
    • lsetup.exe
    • luall.exe
    • luau.exe
    • lucomserver.exe
    • luinit.exe
    • luspt.exe
    • mcagent.exe
    • mcmnhdlr.exe
    • mcshield.exe
    • mctool.exe
    • mcupdate.exe
    • mcvsrte.exe
    • mcvsshld.exe
    • mfw2en.exe
    • mfweng3.02d30.exe
    • mgavrtcl.exe
    • mgavrte.exe
    • mghtml.exe
    • mgui.exe
    • minilog.exe
    • monitor.exe
    • moolive.exe
    • mpfagent.exe
    • mpfservice.exe
    • mpftray.exe
    • mrflux.exe
    • msconfig.exe
    • msinfo32.exe
    • mssmmc32.exe
    • mu0311ad.exe
    • mwatch.exe
    • n32scanw.exe
    • nav auto-protect.nav80try.exe
    • navap.navapsvc.exe
    • navapsvc.exe
    • navapw32.exe
    • navdx.exe
    • navengnavex15.navlu32.exe
    • navlu32.exe
    • navnt.exe
    • navstub.exe
    • navw32.exe
    • navwnt.exe
    • nc2000.exe
    • ncinst4.exe
    • ndd32.exe
    • neomonitor.exe
    • neowatchlog.exe
    • netarmor.exe
    • netinfo.exe
    • netmon.exe
    • netscanpro.exe
    • netspyhunter-1.2.exe
    • netstat.exe
    • netutils.exe
    • nisserv.exe
    • nisum.exe
    • nmain.exe
    • nod32.exe
    • normist.exe
    • norton_internet_secu_3.0_407.exe
    • notstart.exe
    • npf40_tw_98_nt_me_2k.exe
    • npfmessenger.exe
    • nprotect.exe
    • npscheck.exe
    • npssvc.exe
    • nsched32.exe
    • ntrtscan.exe
    • ntvdm.exe
    • ntxconfig.exe
    • nui.exe
    • nupgrade.exe
    • nvarch16.exe
    • nvc95.exe
    • nvsvc32.exe
    • nwinst4.exe
    • nwservice.exe
    • nwtool16.exe
    • ostronet.exe
    • outpost.exe
    • outpostinstall.exe
    • outpostproinstall.exe
    • padmin.exe
    • panixk.exe
    • pavcl.exe
    • pavproxy.exe
    • pavsched.exe
    • pavw.exe
    • pcc2002s902.exe
    • pcc2k_76_1436.exe
    • pcciomon.exe
    • pccntmon.exe
    • pccwin97.exe
    • pccwin98.exe
    • pcdsetup.exe
    • pcfwallicon.exe
    • pcip10117_0.exe
    • pcscan.exe
    • pdsetup.exe
    • periscope.exe
    • persfw.exe
    • perswf.exe
    • pf2.exe
    • pfwadmin.exe
    • pingscan.exe
    • platin.exe
    • pop3trap.exe
    • poproxy.exe
    • popscan.exe
    • portdetective.exe
    • portmonitor.exe
    • ppinupdt.exe
    • pptbc.exe
    • ppvstop.exe
    • processmonitor.exe
    • procexplorerv1.0.exe
    • programauditor.exe
    • proport.exe
    • protectx.exe
    • pspf.exe
    • purge.exe
    • pview95.exe
    • qconsole.exe
    • qserver.exe
    • rapapp.exe
    • rav7.exe
    • rav7win.exe
    • rav8win32eng.exe
    • realmon.exe
    • regedit.exe
    • regedt32.exe
    • rescue.exe
    • rescue32.exe
    • rrguard.exe
    • rshell.exe
    • rtvscan.exe
    • rtvscn95.exe
    • rulaunch.exe
    • safeweb.exe
    • sbserv.exe
    • scan32.exe
    • scan95.exe
    • scanpm.exe
    • scrscan.exe
    • sd.exe
    • serv95.exe
    • setup_flowprotector_us.exe
    • setupvameeval.exe
    • sfc.exe
    • sgssfw32.exe
    • sh.exe
    • shellspyinstall.exe
    • shn.exe
    • smc.exe
    • sofi.exe
    • spf.exe
    • sphinx.exe
    • spyxx.exe
    • ss3edit.exe
    • st2.exe
    • supftrl.exe
    • supporter5.exe
    • sweep95.exe
    • sweepnet.sweepsrv.sys.swnetsup.exe
    • symproxysvc.exe
    • symtray.exe
    • sysedit.exe
    • taskmon.exe
    • taumon.exe
    • tbscan.exe
    • tc.exe
    • tca.exe
    • tcm.exe
    • tds2-98.exe
    • tds2-nt.exe
    • tds-3.exe
    • tfak.exe
    • tfak5.exe
    • tgbob.exe
    • titanin.exe
    • titaninxp.exe
    • tracert.exe
    • trjscan.exe
    • trjsetup.exe
    • trojantrap3.exe
    • undoboot.exe
    • update.exe
    • vbcmserv.exe
    • vbcons.exe
    • vbust.exe
    • vbwin9x.exe
    • vbwinntw.exe
    • vcsetup.exe
    • vet32.exe
    • vet95.exe
    • vettray.exe
    • vfsetup.exe
    • vir-help.exe
    • virusmdpersonalfirewall.exe
    • vnlan300.exe
    • vnpc3000.exe
    • vpc32.exe
    • vpc42.exe
    • vpfw30s.exe
    • vptray.exe
    • vscan40.exe
    • vscenu6.02d30.exe
    • vsched.exe
    • vsecomr.exe
    • vshwin32.exe
    • vsisetup.exe
    • vsmain.exe
    • vsmon.exe
    • vsstat.exe
    • vswin9xe.exe
    • vswinntse.exe
    • vswinperse.exe
    • w32dsm89.exe
    • w9x.exe
    • watchdog.exe
    • webscanx.exe
    • webtrap.exe
    • wfindv32.exe
    • wgfe95.exe
    • whoswatchingme.exe
    • wimmun32.exe
    • winrecon.exe
    • wnt.exe
    • wradmin.exe
    • wrctrl.exe
    • wsbgate.exe
    • wyvernworksfirewall.exe
    • xpf202en.exe
    • zapro.exe
    • zapsetup3001.exe
    • zatutor.exe
    • zauinst.exe
    • zonalm2601.exe
    • zonealarm.exe
    
    
    

    Analysis by: Dennis John Biel


SOLUTION


Minimum scan engine version needed: 6.150

Pattern file needed: 1.691.38

Pattern release date: Nov 25, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Disabling the Malware Service

For Windows NT, 2000, XP systems, you have do disable the service before editing the registry.

  1. Go to Windows Control Panel
  2. Double click on �Administrative Tools�
  3. Double click on �Services�
  4. Look for the service �Configuration Loader�
  5. Right click the service then select �Properties�
  6. Change the startup type to �Disabled�
  7. Click OK, then reboot your computer.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
    CurrentVersion>Run
  2. In the right panel, locate and delete the entry or entries:
    "Configuration Loader"="wincffg.exe�
  3. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
    CurrentVersion>RunServices
  4. In the right panel, locate and delete the entry or entries:
    "Configuration Loader"="wincffg.exe�
  5. If your system is Windows NT, 2000, and XP, this malware registers itself as a process. To ensure that it will not run as a process on the next startup, locate and delete the following registry key:
    HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services>a3
  6. Close Registry Editor

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.A3. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

Download the latest patch. Information and download links on the vulnerabilities exploited by the malware can be found at the following links:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.