WORM_AGOBOT.QA

Malware type: Worm

Aliases: Backdoor.Win32.Wootbot.ey (Kaspersky), W32.Spybot.Worm (Symantec), TR/Crypt.XPACK.Gen (Avira), Mal/Generic-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm exploits certain vulnerabilities to propagate across networks. Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It attempts to log on to systems using a predefined list of user names and passwords.

It also has backdoor capabilities and may execute malicious commands on the host machine. It terminates antivirus-related processes and dropped files by other malware. It also steals CD keys of certain game applications.

For additional information about this threat, see:

Description created: Mar. 28, 2004 6:37:32 AM GMT -0800
Description updated: Mar. 28, 2004 6:37:40 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 95,258 Bytes (compressed)

Initial samples received on: Mar 28, 2004

Details:

Installation

This memory-resident worm usually arrives as a UPX-compressed file.

Upon execution, it drops a copy of itself in the Windows system32 folder as the following file:

    VIDE_32.EXE

(Note: The Windows system folder is usually C:\WINNT\System32 on Windows 2000, and C:\Windows\System32 on Windows XP.)

To enable its automatic execution at every system startup, it creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows video =" VIDE_32.EXE "

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Windows video =" VIDE_32.EXE "

Network Propagation and Exploits

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows NT systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

It looks for vulnerable machines on the network by scanning for random TCP/IP addresses on port 135.

It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445.

More information on this vulnerability is available from the following Microsoft page:

It also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

The following link offers more information from Microsoft about this vulnerability:

It also searches for the following network shares:

  • admin$
  • e$
  • c$
  • d$
  • ipc$

If these network shares have full access rights, the worm attempts to drop and execute a copy of itself. If these shares have restricted access, it forces its way into the system using the following user names and passwords:

User names

Passwords:

  • 000000
  • 00000000
  • 111111
  • 11111111
  • 121212
  • 123123
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 54321
  • 654321
  • 88888888
  • abc123
  • admin123
  • alpha
  • asdfghjkl
  • changeme
  • enable
  • foobar
  • godblessyou
  • homework
  • ihavenopass
  • Internet
  • Login
  • metal
  • mybaby
  • mybox
  • mypass
  • oracle
  • passwd
  • Password
  • password
  • password123
  • patrick
  • penis
  • poiuytrewq
  • private
  • pussy
  • qwerty
  • qwertyuiop
  • red123
  • school
  • secret
  • secrets
  • super
  • superman
  • supersecret
  • sybase
  • test123
  • vagina
  • werty
  • xxyyzz
  • zxcvbnm

Backdoor Capabilities

This malware connects to an IRC channel, where it waits for commands from a malicious user. It may carry out the following tasks on the machine:

  • Exit/remove the bot
  • Display system information/status
  • Display/modify the bot characteristics
  • Open/delete/create a file
  • Resolve DNS
  • Log on/log out/quit a user to a specified IRC server
  • Steal game CD keys
  • List all available commands
  • Execute a file from an FTP site
  • Update the bot from an FTP site
  • Visit a specified URL
  • Download/execute a file from a specified URL
  • Scan for systems vulnerable with RPC DCOM Buffer Overflow
  • Scan for systems vulnerable with RPC Locator vulnerability
  • Scan for systems vulnerable with IIS/WEBDAV vulnerability
  • Scan for systems vulnerable with Workstation Service Vulnerability
  • Scan for weak Netbios passwords
  • Launch a DDoS (DDoS) attack against a target system
  • Redirect network traffic to a different HTTP/TCP/GRE location using SSL
  • Configure the system to act as a proxy server
  • Restart the machine
  • Send spam through AOL
  • Retrieve and send the following information:
    • CPU
    • RAM
    • operating system
    • System Uptime Details

This variant also incorporates a complex SSL engine which it uses to encrypt outgoing data packets it uses for its backdoor routine.

Information Theft

This malware steals the Windows Product ID and the CD keys of the following popular games:

Process Termination

This worm terminates the following running processes:

Other Details

This malware also terminates the following processes upon execution:

  • winhlpp32.exe
  • tftpd.exe
  • dllhost.exe
  • winppr32.exe
  • mspatch.exe
  • penis32.exe
  • msblast.exe



Analysis by: Paul Albert Arana

Revision History:

First pattern file version: 5.254.10
First pattern file release date: May 03, 2008

SOLUTION


Minimum scan engine version needed: 6.500

Pattern file needed: 5.567.00

Pattern release date: Sep 25, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Since the malware is memory-resident and it terminates Task Manager when it is executed, we first have to rename the file TASKMGR.EXE to TASKMGR.COM.

  1. Rename TASKMGR.EXE to TASKMGR.COM:
    On Windows NT
    Click Start>Find>Files or Folders.., type TASKMGR.EXE.
    On Windows 2000
    Click Start>Search>For Files or Folders.., type TASKMGR.EXE.
  2. When found, right-click TASKMGR.EXE then select Rename. Rename TASKMGR.EXE to TASKMGR.COM.

To terminate the malware process:

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    DLLCFG32.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Since this malware is memory-resident and it terminates the Windows Task Manager, we first have to rename REGEDIT.EXE to REGEDIT.COM.

  1. Rename REGEDIT.EXE to REGEDIT.COM.
    On Windows NT
    Click Start>Find>Files or Folders.., type REGEDIT.EXE.
    On Windows 2000
    Click Start>Search>For Files or Folders.., type REGEDIT.EXE.
  2. When found, right-click REGEDIT.EXE then select Rename. Rename REGEDIT.EXE to REGEDIT.COM.
    Note: This is necessary to avoid executing the malware.

To remove the malware autorun entries:

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Windows video =" VIDE_32.EXE "
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Windows video =" VIDE_32.EXE "
  6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.QA. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

Download the latest patch. Information and download links on the vulnerabilities exploited by the malware can be found at the following links:




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.