WORM_AGOBOT.GM

Malware type: Worm

Aliases: New Malware.aj !! (McAfee), W32.HLLW.Gaobot (Symantec), Worm/SdBot.53044 (Avira), Troj/Rootkit-W (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm exploits certain vulnerabilities to propagate across networks. Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator vulnerability
  • MS Workstation Service Vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It attempts to log on to systems using a predefined list of user names and passwords.

It also has backdoor capabilities and may execute malicious commands on the host machine. It terminates antivirus-related processes and steals the CD keys of certain game applications.

It also disables access to certain antivirus Web sites by modifying the Windows HOSTS file.

This worm runs on Windows NT, 2000, and XP.

For additional information about this threat, see:

Description created: Apr. 23, 2004 1:07:47 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 116,512 Bytes

Initial samples received on: Apr 23, 2004

Details:

Installation

Upon execution, this worm drops a copy of itself in the Windows system folder as the following file:

    MESSENGER.EXE

(Note: The Windows system folder is usually C:\WINNT\System32 on Windows 2000, and C:\Windows\System32 on Windows XP.)

To enable its automatic execution at every system startup, it creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Mmessenger = messenger.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Mmessenger = messenger.exe

Network Propagation and Exploits

This worm takes advantage of the following Windows vulnerabilities to propagate into accessible systems:

  • Locator Service Vulnerability
  • WebDAV vulnerability
  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • MS Workstation Service Vulnerability

For more information about these vulnerabilities, please refer to the following Microsoft Web pages:

It also drops a copies of itself into network shares. It tries to log on to these shares using a list of user names and passwords.

The worm opens a random port through which it sends a copy of itself upon receiving a connection.

Backdoor Capabilities

This malware operates as an IRC bot that connects to the IRC server danje3.h4ckz.biz through port 6667. It listens for commands from a remote user and executes the commands locally on the infected machine, providing remote users virtual control over affected systems.

The bot allows a remote users to do the following:

The malware also starts a File Transfer Protocol (FTP) server on a random port which allows the following commands:

  • CWD
  • BINARY
  • RETR
  • SIZE
  • PORT
  • PASV
  • SYST
  • TYPE
  • PASS
  • USER

Process Termination

This worm terminates the following antivirus, firewall, and system processes:

Disabling Access to Antivirus Web Sites

This malware also modifies the Windows HOSTS file, which contains host name to IP address mappings.

It appends data to the said file, which prevents the affected user from accessing any of the following Web sites:

  • www.symantec.com
  • securityresponse.symantec.com
  • symantec.com
  • www.sophos.com
  • sophos.com
  • www.mcafee.com
  • mcafee.com
  • liveupdate.symantecliveupdate.com
  • www.viruslist.com
  • viruslist.com
  • f-secure.com
  • www.f-secure.com
  • kaspersky.com
  • www.avp.com
  • www.kaspersky.com
  • avp.com
  • www.networkassociates.com
  • networkassociates.com
  • www.ca.com
  • ca.com
  • mast.mcafee.com
  • my-etrust.com
  • www.my-etrust.com
  • download.mcafee.com
  • dispatch.mcafee.com
  • secure.nai.com
  • nai.com
  • www.nai.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • trendmicro.com
  • www.trendmicro.com

Denial of Service

This malware also tries to post a large amount of data on the following URLs as if performing a Distributed Denial of Service (DDoS) attack:

  • www.schlund.net
  • www.utwente.nl
  • verio.fr
  • www.1und1.de
  • www.switch.ch
  • www.belwue.de
  • de.yahoo.com
  • www.xo.net
  • www.stanford.edu
  • www.verio.com
  • www.nocster.com
  • www.rit.edu
  • www.cogentco.com
  • www.burst.net
  • nitro.ucsc.edu
  • www.level3.com
  • www.above.net
  • www.lib.nthu.edu.tw
  • www.st.lib.keio.ac.jp
  • www.d1asia.com
  • www.nifty.com
  • yahoo.co.jp

Payload

This worm also deletes files the match the wildcard �SOUN*.*� found in all directories of the system.




Analysis by: Broderick Ian Aquilino

Revision History:

First pattern file version: 4.334.16
First pattern file release date: Mar 11, 2007

SOLUTION


Minimum scan engine version needed: 6.500

Pattern file needed: 4.335.00

Pattern release date: Mar 11, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_AGOBOT.GM. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Mmessenger = messenger.exe
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Mmessenger = messenger.exe
  6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Restoring the Windows HOSTS File

Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.

  1. Open the following file using your default text editor:
    %System%\Drivers\etc\Hosts
    (Note: %System% is the Windows system directory, which is usually C:\WINNT\System32 or C:\Windows\System32.)
  2. Locate and delete the following lines:
    • 127.0.0.1 www.symantec.com
    • 127.0.0.1 securityresponse.symantec.com
    • 127.0.0.1 symantec.com
    • 127.0.0.1 www.sophos.com
    • 127.0.0.1 sophos.com
    • 127.0.0.1 www.mcafee.com
    • 127.0.0.1 mcafee.com
    • 127.0.0.1 liveupdate.symantecliveupdate.com
    • 127.0.0.1 www.viruslist.com
    • 127.0.0.1 viruslist.com
    • 127.0.0.1 f-secure.com
    • 127.0.0.1 www.f-secure.com
    • 127.0.0.1 kaspersky.com
    • 127.0.0.1 www.avp.com
    • 127.0.0.1 www.kaspersky.com
    • 127.0.0.1 avp.com
    • 127.0.0.1 www.networkassociates.com
    • 127.0.0.1 networkassociates.com
    • 127.0.0.1 www.ca.com
    • 127.0.0.1 ca.com
    • 127.0.0.1 mast.mcafee.com
    • 127.0.0.1 my-etrust.com
    • 127.0.0.1 www.my-etrust.com
    • 127.0.0.1 download.mcafee.com
    • 127.0.0.1 dispatch.mcafee.com
    • 127.0.0.1 secure.nai.com
    • 127.0.0.1 nai.com
    • 127.0.0.1 www.nai.com
    • 127.0.0.1 update.symantec.com
    • 127.0.0.1 updates.symantec.com
    • 127.0.0.1 us.mcafee.com
    • 127.0.0.1 liveupdate.symantec.com
    • 127.0.0.1 customer.symantec.com
    • 127.0.0.1 rads.mcafee.com
    • 127.0.0.1 trendmicro.com
    • 127.0.0.1 www.trendmicro.com
  3. Save the HOSTS file and close the text editor.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.GM. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.

Refrain from using the affected software until the appropriate patch has been installed.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.