WORM_AGOBOT.EC

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.cpo (Kaspersky), W32/Sdbot.worm (McAfee), W32.IRCBot (Symantec), TR/Agent.47616.6 (Avira), Mal/Heuri-D (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm exploits the following Windows vulnerabilities to propagate across networks:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator Vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It attempts to log into systems using a list of user names and passwords. This worm then drops a copy of itself in accessed machines.

It also terminates antivirus-related processes and dropped files by other malware. This worm steals CD keys of certain game applications.

It also has backdoor capabilities, allowing remote access to the compromised system.

It runs on Windows 2000 and XP.

For additional information about this threat, see:

Description created: Mar. 4, 2004 4:30:14 PM GMT -0800
Description updated: Mar. 4, 2004 4:41:59 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 197,632 Bytes (compressed)
~556,032 Bytes (uncompressed)

Initial samples received on: Mar 4, 2004

Details:
Installation and Autostart Technique

Upon execution, this worm drops a copy of itself as VIDEOL32.EXE in the Windows system folder.

It then adds the following registry entries, which enable this malware to run automatically at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
Videool32 = "VIDEOL32.EXE "

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\RunServices
Videool32 = "VIDEOL32.EXE "

Network Propagation and Exploits

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

This worm looks for vulnerable Windows XP machines on the network by scanning for random TCP/IP addresses on port 135.

It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445.

More information on this vulnerability is available from the following Microsoft page:

This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

The following link offers more information from Microsoft about this vulnerability:

When it finds a vulnerable target machine, the worm copies and executes itself on the system.

It also searches for the following network shares:

  • admin$
  • print$

If these folders have full access rights, it attempts to copy itself to these network shares. However, if these shared folders have restricted access rights, the worm attempts force its way into the system by logging in using the following user names and passwords:

  • User names:

    • a
    • aaa
    • abc
    • admin
    • Administrador
    • Administrateur
    • administrator
    • asdf
    • Default
    • Dell
    • Gast
    • Guest
    • home
    • Inviter
    • login
    • mgmt
    • Owner
    • pc
    • qwer
    • Standard
    • temp
    • Test
    • test
    • User
    • win
    • x
    • xyz

  • Passwords:

    • 0
    • 000000
    • 00000000
    • 007
    • 1
    • 110
    • 111
    • 111111
    • 11111111
    • 12
    • 121212
    • 123
    • 123123
    • 1234
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234qwer
    • 123abc
    • 123asd
    • 123qwe
    • 2002
    • 2003
    • 2600
    • 54321
    • 654321
    • 88888888
    • a
    • aaa
    • abc
    • abcd
    • Admin
    • administrator
    • alpha
    • asdf
    • computer
    • database
    • enable
    • foobar
    • god
    • godblessyou
    • home
    • ihavenopass
    • Internet
    • login
    • Login
    • love
    • mypass
    • mypc
    • oracle
    • owner
    • pass
    • pass
    • passwd
    • password
    • Password
    • pat
    • patrick
    • pc
    • pw
    • pwd
    • qwer
    • root
    • secret
    • server
    • sex
    • super
    • sybase
    • temp
    • test
    • win
    • xp
    • xxx
    • yxcv
    • zxcv

    Information Theft

    This worm steals the Windows Product ID, and also the CD keys of the following games:

    • BF1942
    • BF1942 RtR
    • BF1942 SWoWWII
    • Command & Conquer Generals
    • Counter-Strike
    • FIFA 2002
    • FIFA 2003
    • Half-Life CDKey
    • LoMaM
    • Nascar 2002
    • Nascar 2003
    • NFSHP2
    • NHL 2002
    • NHL 2003
    • NOX
    • Project IGI 2
    • Red Alert
    • Red Alert 2
    • The Gladiators
    • Tiberian Sun
    • UT2003

    Antivirus Retaliation

    This worm terminates the following antivirus and firewall processes:

    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE
    • ACKWIN32.EXE
    • ANTI-TROJAN.EXE
    • APVXDWIN.EXE
    • AUTODOWN.EXE
    • AVCONSOL.EXE
    • AVE32.EXE
    • AVGCTRL.EXE
    • AVKSERV.EXE
    • AVNT.EXE
    • AVP.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPDOS32.EXE
    • AVPM.EXE
    • AVPTC32.EXE
    • AVPUPD.EXE
    • AVSCHED32.EXE
    • AVWIN95.EXE
    • AVWUPD32.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • CLAW95.EXE
    • CLAW95CF.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • DVP95.EXE
    • DVP95_0.EXE
    • ECENGINE.EXE
    • ESAFE.EXE
    • ESPWATCH.EXE
    • F-AGNT95.EXE
    • FINDVIRU.EXE
    • FPROT.EXE
    • F-PROT.EXE
    • F-PROT95.EXE
    • FP-WIN.EXE
    • FRW.EXE
    • F-STOPW.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • IBMASN.EXE
    • IBMAVSP.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFACE.EXE
    • IOMON98.EXE
    • JEDI.EXE
    • LOCKDOWN2000.EXE
    • LOOKOUT.EXE
    • LUALL.EXE
    • MOOLIVE.EXE
    • MPFTRAY.EXE
    • N32SCANW.EXE
    • NAVAPW32.EXE
    • NAVLU32.EXE
    • NAVNT.EXE
    • NAVW32.EXE
    • NAVWNT.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORMIST.EXE
    • NUPGRADE.EXE
    • NVC95.EXE
    • OUTPOST.EXE
    • PADMIN.EXE
    • PAVCL.EXE
    • PAVSCHED.EXE
    • PAVW.EXE
    • PCCWIN98.EXE
    • PCFWALLICON.EXE
    • PERSFW.EXE
    • RAV7.EXE
    • RAV7WIN.EXE
    • RESCUE.EXE
    • SAFEWEB.EXE
    • SCAN32.EXE
    • SCAN95.EXE
    • SCANPM.EXE
    • SCRSCAN.EXE
    • SERV95.EXE
    • SMC.EXE
    • SPHINX.EXE
    • SWEEP95.EXE
    • TBSCAN.EXE
    • TCA.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • VET95.EXE
    • VETTRAY.EXE
    • VSCAN40.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSSTAT.EXE
    • WEBSCANX.EXE
    • WFINDV32.EXE
    • ZONEALARM.EXE

    Backdoor Capabilities

    It has a built-in IRC (Internet Chat Relay) client engine which enables it to connect to an IRC channel and await commands from a remote user. These commands include:

    • Remove network shares
    • Flush DNS cache
    • Download files, including malware updates from a Web site or FTP server
    • Scan local network for vulnerable machines
    • Scan local network for machines with weak netbios password
    • Obtain system information, such as:
      • Total Windows running time
      • Windows version
      • Current user
      • CPU speed
      • Total free and allocated memory
    • Redirect connections
    • Emulate a Socks4 proxy
    • Log off the user
    • Restart or shut down the machine
    • List all running processes
    • Terminate a specific process
    • Add or remove autostart entries in the registry
    • Add or remove services using Service Control Manager
    • Send customized email messages using predefined SMTP servers
    • Change the IRC server and channel where it connects to

    Flooding Routine

    This worm also enables malicious users to launch the following types of flood atttacks against a target site:

    • Ping flood
    • SYN flood
    • UDP flood
    • ICMP flood

    Other Details

    This worm also terminates the following processes:

    • DLLHOST.EXE
    • MSBLAST.EXE
    • MSPATCH.EXE
    • PENIS32.EXE
    • TFTPD.EXE
    • WINHLPP32.EXE
    • WINPPR32.EXE
    
    
    

    Analysis by: Erwin Varona

    Revision History:

    First pattern file version: 4.536.06
    First pattern file release date: Jun 14, 2007

  • SOLUTION


    Minimum scan engine version needed: 6.100

    Pattern file needed: 4.537.00

    Pattern release date: Jun 14, 2007


    Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

    Solution:

    AUTOMATIC REMOVAL INSTRUCTIONS

    To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

    MANUAL REMOVAL INSTRUCTIONS

    Identifying the Malware Program

    To remove this malware, first identify the malware program.

    1. Scan your system with your Trend Micro antivirus product.
    2. NOTE all files detected as WORM_AGOBOT.EC.

    Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro�s free online virus scanner.

    Restarting in Safe Mode

    � On Windows 2000

    1. Restart your computer.
    2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
    3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    � On Windows XP

    1. Restart your computer.
    2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
    3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    Note: After performing all the solutions for the removal of this malware, please restart your system normally, and run your Trend Micro antivirus product.

    Terminating the Malware Program

    This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

    1. Open Windows Task Manager. Press
      CTRL%20SHIFT%20ESC, then click the Processes tab.
    2. In the list of running programs, locate the malware file or files detected earlier.
    3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    4. Do the same for all detected malware files in the list of running processes.
    5. To check if the malware process has been terminated, close Task Manager, and then open it again.
    6. Close Task Manager.

    Editing the Registry

    This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

    1. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
    2. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and 2003

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    To remove the malware autostart entries:

    1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the entry:
      Videool32 = "VIDEOL32.EXE"
    4. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
      CurrentVersion>RunServices
    5. In the right panel, locate and delete the entry or entries:
      Videool32 = "VIDEOL32.EXE"
    6. Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

    Important Windows ME/XP Cleaning Instructions

    Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

    Users running other Windows versions can proceed with the succeeding procedure set(s).

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete files detected as WORM_AGOBOT.EC. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.

    Applying Patches

    This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.




    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.