WORM_AGOBOT.AIF

Malware type: Worm

Aliases: Backdoor.Win32.Agobot.gen (Kaspersky), W32/Gaobot.worm.gen.j (McAfee), W32.HLLW.Gaobot.gen (Symantec), Worm/AgoBot.104960 (Avira), W32/Agobot-AMI (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm propagates by taking advantage of the following Windows vulnerabilities:

  • RPC Locator vulnerability
  • IIS5/WebDAV Buffer Overrun vulnerability
  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • LSASS vulnerability

More information about these vulnerabilities can be found on the following Microsoft pages:

This worm has backdoor capabilities, and may execute commands coming from a remote malicious user. It also steals the Windows Product ID, as well as the CD keys of certain applications.

This worm is also capable of terminating several processes, as well as preventing affected users from accessing certain antivirus Web sites by adding entries in the system's HOSTS file.

For additional information about this threat, see:

Description created: Mar. 22, 2005 6:03:13 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 104,960 Bytes (compressed)

Ports used: Random

Initial samples received on: Mar 22, 2005

Compression type: Morphine

Vulnerability used:  (MS04-011) Security Update for Microsoft Windows (835732), (MS03-001) Unchecked Buffer in Locator Service Could Lead to Code Execution (810833), (MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021), (MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution

Family:  WORM_AGOBOT

Variant ofWORM_AGOBOT.GEN

Payload 1: Steals CD keys

Payload 2: Performs backdoor routines

Payload 3: Terminates processes

Payload 4: Modifies HOSTS file

Details:

Installation and Autostart Techniques

This memory-resident worm arrives via network shares. Upon execution, it drops a copy of itself in the Windows system folder as the file VSRV32.EXE.

It creates the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
vsrv32 = "vsrv32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
vsrv32 = "vsrv32.exe"

It then deletes its originally executed file.

Network Propagation and Exploits

This worm propagates by taking advantage of the following Windows vulnerabilities:

  • RPC Locator vulnerability
  • IIS5/WebDAV Buffer Overrun vulnerability
  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • LSASS vulnerability

More information about these vulnerabilities can be found on the following Microsoft pages:

When it finds a vulnerable target machine, this worm copies and executes itself on the system.

It then attempts to spread to the following network folders:

  • ADMIN$
  • PRINT$

Denial of Service

This worm performs denial of service (DoS) attacks against target sites. However, it excludes the following sites from these attacks:

  • de.yahoo.com
  • nitro.ucsc.edu
  • verio.fr
  • www.1und1.de
  • www.above.net
  • www.belwue.de
  • www.burst.net
  • www.cogentco.com
  • www.d1asia.com
  • www.level3.com
  • www.lib.nthu.edu.tw
  • www.nifty.com
  • www.nocster.com
  • www.rit.edu
  • www.schlund.net
  • www.st.lib.keio.ac.jp
  • www.stanford.edu
  • www.switch.ch
  • www.utwente.nl
  • www.verio.com
  • www.xo.net
  • yahoo.co.jp

Backdoor Capabilities

This worm has backdoor capabilities, such as stealing CD Keys and sending them to the malicious user, engaging in port scanning activities in order to connect with the malware author, and using the Secure Socket Layer (SSL) so that it can encrypt the packets that it sends to avoid detection.

It is capable of performing the following routines on the affected system:

  • Take a screenshot of active desktop
  • Change the server the bot connects to
  • Reconnect to the server
  • Send a raw message to the IRC server
  • Quit the bot
  • Send a private message
  • Make the bot part a channel
  • Print network information (NETINFO)
  • Let the bot perform a mode change
  • Make the bot join a channel
  • Print NETINFO when host matches
  • Print NETINFO when the bot is .edu
  • Send a file over DCC
  • Let the bot perform an action
  • Disconnect the bot from IRC
  • Run a command with system()
  • Enable/Disable DCOM
  • Enable/Delete shares
  • Flush the bot's DNS cache
  • Make the bot respond if speed is greater than 5000
  • Make the bot respond if uptime is greater than 7 days
  • Display the system information
  • Give status
  • Make the bot generate a new random nick
  • Remove the bot if ID does not match
  • Remove the bot
  • Open a file
  • Change the nickname of the bot
  • Display the ID of the current code
  • Make the bot execute an .EXE file
  • Resolve IP/hostname by DNS
  • Terminate the bot
  • Display the information the malware author wants the user to see
  • Enable/Disable shell handler
  • FallBack handler for shell
  • List all available commands
  • Make the bot use SSL for hiding of commands
  • Load/Unload a plugin
  • Load/Save config to a file
  • Get/Set the content of a CVAR
  • Get the contents of a CVAR
  • Print a list of all CVARs
  • Add/Delete a service from SCM
  • Add/Delete an autostart entry
  • Issue an exec command if speed (via speedtest) is bigger than specified
  • Issue an exec command if uptime is bigger than specified
  • Log the user on/off
  • Execute a file from an FTP URL
  • Update the bot from an FTP URL
  • Download a file from FTP
  • Read command(s) from a specified URL
  • Visit a URL
  • Execute a file from an HTTP URL
  • Update the bot from an HTTP URL
  • Download a file from HTTP
  • Find a file
  • List contents of a folder
  • Create/Delete a folder
  • Move/Delete a file
  • Log the user off
  • Shut the sytem down
  • Reboot the sytem
  • Kill a Process ID (PID)
  • Delete/Stop a service
  • List all services
  • Kill a process
  • List all processes
  • Perform speed test on the bot
  • Display statistics of the scanner
  • Signal start/stop to child threads
  • Disable all scanners and stop scanning
  • Enable all scanners and start scanning
  • Enable/Disable a scanner module
  • Reset NETRANGES to the local host
  • List/Clear all NETRANGES registered with the scanner
  • Add/Delete a NETRANGE from the scanner
  • Start flood attacks
  • Stop all floods
  • Stop all redirects running
  • Start a SOCKS5 proxy
  • Start a SOCKS4 proxy
  • Start an HTTPS proxy
  • Start an HTTP proxy
  • Start a GRE redirect
  • Starts a TCP port redirect
  • Make the bot get AOL screen name
  • Make the bot get a list of CD keys
  • Make the bot get Windows registry information
  • Make the bot get registry information from exact registry path

Information Theft

This worm steals the Windows Product ID, as well as the CD keys of the following applications:

  • Battlefield 1942
  • Battlefield 1942: Secret Weapons Of WWII
  • Battlefield 1942: The Road To Rome
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals: Zero Hour
  • Command and Conquer: Red Alert2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden and Dangerous 2
  • IGI2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed: Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • NHL 2002
  • NHL 2003
  • NOX
  • Rainbow Six III Ravenshield
  • Shogun: Total War: Warlord Edition
  • Soldier Of Fortune 2
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

It also uses Carnivore network sniffer to retrieve passwords and other sensitive information by checking for the following strings:

  • :!hashin
  • :!ident
  • :!Login
  • :!login
  • :!secure
  • :.hashin
  • :.ident
  • :.Login
  • :.login
  • :.secure
  • 302
  • 366
  • Bot sniff
  • FTP sniff
  • IRC sniff
  • JOIN #
  • NICK
  • oper
  • OPER
  • PASS
  • PAYPAL
  • paypal
  • paypal.com
  • PAYPAL.COM
  • Set-Cookie:
  • USER
  • You are now an IRC Operator

Antivirus Retaliation

This worm terminates the following processes, which are usually related to antivirus and security applications:

  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ADAWARE.EXE
  • ADVXDWIN.EXE
  • AGENTSVR.EXE
  • AGENTW.EXE
  • ALERTSVC.EXE
  • ALEVIR.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTIVIRUS.EXE
  • ANTS.EXE
  • APIMONITOR.EXE
  • APLICA32.EXE
  • APVXDWIN.EXE
  • ARR.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AU.EXE
  • AUPDATE.EXE
  • AUTO-PROTECT.NAV80TRY.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • AVGNT.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGUARD.EXE
  • AVGW.EXE
  • AVKPOP.EXE
  • AVKSERV.EXE
  • AVKSERVICE.EXE
  • AVKWCTl9.EXE
  • AVLTMAIN.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD.EXE
  • AVWUPD32.EXE
  • AVWUPSRV.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • BACKWEB.EXE
  • BARGAINS.EXE
  • BD_PROFESSIONAL.EXE
  • BEAGLE.EXE
  • BELT.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • BLSS.EXE
  • BOOTCONF.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • BPC.EXE
  • BRASIL.EXE
  • BS120.EXE
  • BUNDLE.EXE
  • BVT.EXE
  • CCAPP.EXE
  • CCEVTMGR.EXE
  • CCPXYSVC.EXE
  • CDP.EXE
  • CFD.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • Claw95.EXE
  • CLAW95CF.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CLEANPC.EXE
  • CLICK.EXE
  • CMD32.EXE
  • CMESYS.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CTRL.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • DATEMANAGER.EXE
  • DCOMX.EXE
  • DEFALERT.EXE
  • DEFSCANGUI.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DIVX.EXE
  • DLLCACHE.EXE
  • DLLREG.EXE
  • DOORS.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DPPS2.EXE
  • DRWATSON.EXE
  • DRWEB32.EXE
  • DRWEBUPW.EXE
  • DSSAGENT.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • EMSW.EXE
  • ENT.EXE
  • ESAFE.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • ESPWATCH.EXE
  • ETHEREAL.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXANTIVIRUS-CNET.EXE
  • EXE.AVXW.EXE
  • EXPERT.EXE
  • EXPLORE.EXE
  • F-AGNT95.EXE
  • F-AGOBOT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FAMEH32.EXE
  • FAST.EXE
  • FCH32.EXE
  • FIH32.EXE
  • FINDVIRU.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • FNRB32.EXE
  • FP-WIN.EXE
  • FP-WIN_TRIAL.EXE
  • FPROT.EXE
  • FRW.EXE
  • FSAA.EXE
  • FSAV.EXE
  • FSAV32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • FSGK32.EXE
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • GATOR.EXE
  • GBMENU.EXE
  • GBPOLL.EXE
  • GENERICS.EXE
  • GMT.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HBINST.EXE
  • HBSRV.EXE
  • HIJACKTHIS.EXE
  • HOTACTIO.EXE
  • HOTPATCH.EXE
  • HTLOG.EXE
  • HTPATCH.EXE
  • HWPE.EXE
  • HXDL.EXE
  • HXIUL.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IAMSTATS.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IDLE.EXE
  • IEDLL.EXE
  • IEDRIVER.EXE
  • IEXPLORER.EXE
  • IFACE.EXE
  • IFW2000.EXE
  • INETLNFO.EXE
  • INFUS.EXE
  • INFWIN.EXE
  • INIT.EXE
  • INTDEL.EXE
  • INTREN.EXE
  • IOMON98.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • ISASS.EXE
  • ISRV95.EXE
  • ISTSVC.EXE
  • JAMMER.EXE
  • JDBGMRG.EXE
  • JEDI.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KAVPF.EXE
  • KAZZA.EXE
  • KEENVALUE.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KERNEL32.EXE
  • KILLPROCESSSETUP161.EXE
  • LAUNCHER.EXE
  • LDNETMON.EXE
  • LDPRO.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LNETINFO.EXE
  • LOADER.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LORDPE.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUAU.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • LUSPT.EXE
  • MAPISVC32.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MD.EXE
  • MFIN32.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MMOD.EXE
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MOSTAT.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • MRFLUX.EXE
  • MSAPP.EXE
  • MSBB.EXE
  • MSBLAST.EXE
  • MSCACHE.EXE
  • MSCCN32.EXE
  • MSCMAN.EXE
  • MSCONFIG.EXE
  • MSDM.EXE
  • MSDOS.EXE
  • MSIEXEC16.EXE
  • MSINFO32.EXE
  • MSLAUGH.EXE
  • MSMGT.EXE
  • MSMSGRI32.EXE
  • MSSMMC32.EXE
  • MSSYS.EXE
  • MSVXD.EXE
  • MU0311AD.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAV.EXE
  • NAVAP.NAVAPSVC.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVENGNAVEX15.NAVLU32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NEOWATCHLOG.EXE
  • NETARMOR.EXE
  • NETD32.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSTAT.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NOD32.EXE
  • NORMIST.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NOTSTART.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • NPSCHECK.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NSSYS32.EXE
  • NSTASK32.EXE
  • NSUPDATE.EXE
  • NT.EXE
  • NTRTSCAN.EXE
  • NTVDM.EXE
  • NTXconfig.EXE
  • NUI.EXE
  • NUPGRADE.EXE
  • NVARCH16.EXE
  • NVC95.EXE
  • NVSVC32.EXE
  • NWINST4.EXE
  • NWSERVICE.EXE
  • NWTOOL16.EXE
  • OLLYDBG.EXE
  • ONSRVR.EXE
  • OPTIMIZE.EXE
  • OSTRONET.EXE
  • OTFIX.EXE
  • OUTPOST.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • PATCH.EXE
  • PAVCL.EXE
  • PAVPROXY.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • PCCNTMON.EXE
  • PCCWIN97.EXE
  • PCCWIN98.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • PCSCAN.EXE
  • PDSETUP.EXE
  • PENIS.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PERSWF.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PGMONITR.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • POWERSCAN.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PRIZESURFER.EXE
  • PRMT.EXE
  • PRMVR.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROGRAMAUDITOR.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PUSSY.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • RAPAPP.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAV8WIN32ENG.EXE
  • RAY.EXE
  • RB32.EXE
  • RCSYNC.EXE
  • REALMON.EXE
  • REGED.EXE
  • REGEDIT.EXE
  • REGEDT32.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCAN.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • RUN32DLL.EXE
  • RUNDLL.EXE
  • RUNDLL16.EXE
  • RUXDLL32.EXE
  • SAFEWEB.EXE
  • SAHAGENT.EXE
  • SAVE.EXE
  • SAVENOW.EXE
  • SBSERV.EXE
  • SC.EXE
  • SCAM32.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SCRSVR.EXE
  • SCVHOST.EXE
  • SD.EXE
  • SERV95.EXE
  • SERVICE.EXE
  • SERVLCE.EXE
  • SERVLCES.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SHOWBEHIND.EXE
  • SMC.EXE
  • SMS.EXE
  • SMSS32.EXE
  • SOAP.EXE
  • SOFI.EXE
  • SPERM.EXE
  • SPF.EXE
  • SPHINX.EXE
  • SPOLER.EXE
  • SPOOLCV.EXE
  • SPOOLSV32.EXE
  • SPYXX.EXE
  • SREXE.EXE
  • SRNG.EXE
  • SS3EDIT.EXE
  • SSG_4104.EXE
  • SSGRATE.EXE
  • ST2.EXE
  • START.EXE
  • STCLOADER.EXE
  • SUPFTRL.EXE
  • SUPPORT.EXE
  • SUPPORTER5.EXE
  • SVC.EXE
  • SVCHOSTC.EXE
  • SVCHOSTS.EXE
  • SVSHOST.EXE
  • SWEEP95.EXE
  • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SYSEDIT.EXE
  • SYSTEM.EXE
  • SYSTEM32.EXE
  • SYSUPD.EXE
  • TASKMG.EXE
  • TASKMO.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TEEKIDS.EXE
  • TFAK.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRICKLER.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • TSADBOT.EXE
  • TVMD.EXE
  • TVTMD.EXE
  • UNDOBOOT.EXE
  • UPDAT.EXE
  • UPDATE.EXE
  • UPGRAD.EXE
  • UTPOST.EXE
  • VBCMSERV.EXE
  • VBCONS.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VFSETUP.EXE
  • VIR-HELP.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC32.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCENU6.02D30.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBDAV.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WIMMUN32.EXE
  • WIN-BUGSFIX.EXE
  • WIN32.EXE
  • WIN32US.EXE
  • WINACTIVE.EXE
  • WINDOW.EXE
  • WINDOWS.EXE
  • WININETD.EXE
  • WININIT.EXE
  • WININITX.EXE
  • WINLOGIN.EXE
  • WINMAIN.EXE
  • WINNET.EXE
  • WINPPR32.EXE
  • WINRECON.EXE
  • WINSERVN.EXE
  • WINSSK32.EXE
  • WINSTART.EXE
  • WINSTART001.EXE
  • WINTSK32.EXE
  • WINUPDATE.EXE
  • WKUFIND.EXE
  • WNAD.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • WSBGATE.EXE
  • WUPDATER.EXE
  • WUPDT.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE

It also prevents users from accessing antivirus Web sites by appending the following entries in the system's HOSTS file:

  • avp.com
  • ca.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • f-secure.com
  • kaspersky.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • rads.mcafee.com
  • secure.nai.com
  • securityresponse.symantec.com
  • sophos.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • viruslist.com
  • www.avp.com
  • www.ca.com
  • www.f-secure.com
  • www.kaspersky.com
  • www.mcafee.com
  • www.my-etrust.com
  • www.nai.com
  • www.networkassociates.com
  • www.sophos.com
  • www.symantec.com
  • www.trendmicro.com
  • www.viruslist.com

Other Details

This worm is also capable of terminating the following processes:

  • bbeagle.exe
  • d3dupdate.exe
  • i11r54n4.exe
  • irun4.exe
  • rate.exe
  • Ssate.exe
  • ssate.exe
  • taskmon.exe
  • winsys.exe

It runs on Windows NT, 2000, and XP.

Analysis By: Christine Bejerasco


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.509.03

Pattern release date: Mar 22, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process.

  1. Open Windows Task Manager.
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    vsrv32.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    vsrv32 = "vsrv32.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    vsrv32 = "vsrv32.exe"
  6. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Removing Malware Entries from the HOSTS file

Deleting malware entries from the HOSTS file prevents the redirection of antivirus Web sites to the local machine.

  1. Locate the HOSTS file. Right-click Start then click Search� or Find�, depending on the version of Windows you are running.
  2. In the Named input box, type:
    HOSTS
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, open the HOSTS file using a text editor (such as Notepad).
  5. Delete the following entries:
    • 127.0.0.1 www.symantec.com
    • 127.0.0.1 securityresponse.symantec.com
    • 127.0.0.1 symantec.com
    • 127.0.0.1 www.sophos.com
    • 127.0.0.1 sophos.com
    • 127.0.0.1 www.mcafee.com
    • 127.0.0.1 mcafee.com
    • 127.0.0.1 liveupdate.symantecliveupdate.com
    • 127.0.0.1 www.viruslist.com
    • 127.0.0.1 viruslist.com
    • 127.0.0.1 viruslist.com
    • 127.0.0.1 f-secure.com
    • 127.0.0.1 www.f-secure.com
    • 127.0.0.1 kaspersky.com
    • 127.0.0.1 kaspersky-labs.com
    • 127.0.0.1 www.avp.com
    • 127.0.0.1 www.kaspersky.com
    • 127.0.0.1 avp.com
    • 127.0.0.1 www.networkassociates.com
    • 127.0.0.1 networkassociates.com
    • 127.0.0.1 www.ca.com
    • 127.0.0.1 ca.com
    • 127.0.0.1 mast.mcafee.com
    • 127.0.0.1 my-etrust.com
    • 127.0.0.1 www.my-etrust.com
    • 127.0.0.1 download.mcafee.com
    • 127.0.0.1 dispatch.mcafee.com
    • 127.0.0.1 secure.nai.com
    • 127.0.0.1 nai.com
    • 127.0.0.1 www.nai.com
    • 127.0.0.1 update.symantec.com
    • 127.0.0.1 updates.symantec.com
    • 127.0.0.1 us.mcafee.com
    • 127.0.0.1 liveupdate.symantec.com
    • 127.0.0.1 customer.symantec.com
    • 127.0.0.1 rads.mcafee.com
    • 127.0.0.1 trendmicro.com
    • 127.0.0.1 www.trendmicro.com
  6. Save the file and close the text editor.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.AIF. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patch supplied by Microsoft in the following pages:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.