WORM_AGOBOT.SK

Malware type: Worm

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator Vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It attempts to log into systems using a list of user names and passwords. This worm then drops a copy of itself in accessed machines.

It also terminates antivirus-related processes and dropped files by other malware. This worm steals CD keys of certain game applications, then sends gathered data to a remote user via mIRC, a chat application. It also has backdoor capabilities and may execute remote commands in the host machine.

This malware also modifies the HOSTS file so that the affected user can no longer access certain Web sites, which are usually related to scurity and antivirus systems.

It runs on Windows NT, 2000 and XP.

For additional information about this threat, see:

Description created: May. 6, 2004 6:54:23 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 119,184 Bytes

Initial samples received on: May 6, 2004

Details:
Installation and Autostart Technique

Upon execution, this worm drops a copy of itself as the following files in the Windows system folder:

    VSTKMGR.EXE

(Note: The Windows system folder is usually C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP.)

It then adds any of the following registry entries, which enable this malware to run automatically at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
vst="vstkmgr.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\RunServices
vst="vstkmgr.exe"

This malware sets itself as a service by creating the following registry keys and placing important service data in these keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VST

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vst

It uses the name "vst" for its service name and display name. It then deletes the original file and transfers the control to the dropped file.

Network Shares

This worm searches for the following network shares:

  • print$
  • admin$
  • c$
  • d$
  • e$

It uses commonly used user names and passwords to log on to these shares. When the logon attempt is successful, it then copies and executes itself on the system.

Exploits

This worm takes advantage of the Remote Procedurfloe Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

This worm looks for vulnerable Windows XP machines on the network by scanning for random TCP/IP addresses on port 135.

It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445.

More information on this vulnerability is available from the following Microsoft page:

This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

The following link offers more information from Microsoft about this vulnerability:

Backdoor Capabilities

It has a built-in IRC (Internet Chat Relay) client engine which enables it to connect to an IRC channel and await commands from a remote user. These commands include:

  • Connect to a specified IRC server
  • Join an IRC channel
  • Leave an IRC channel
  • Change the IRC server
  • Disconnect from IRC server
  • Perform a mode change in IRC
  • Send message to IRC server
  • Send message to private user
  • Send file using DCC command
  • Use the computer name as a nickname
  • Flush DNS server
  • Display the system info such as CPU, Size of memory, Windows OS and platform ID, User name, uptime
  • Open a file
  • Execute an .exe file
  • Resolve IP/hostname by DNS
  • Perform port redirections
  • Download, update and execute file from FTP
  • Download, update and execute file from a website
  • Visit a website
  • Get list of CD keys
  • List running processes
  • Terminate a process
  • List services
  • Add/Delete an autostart entry
  • Add/Delete service with name
  • Enable/Disable shares
  • Update malware
  • Logout user
  • Restart the computer
  • Shutdown computer
  • Uninstall malware
  • Check malware�s status
  • This worm can perform flood attacks on a target site using the following methods:
    • ICMP flood
    • UDP flood
    • SYN flood
    • HTTP flood

    Information Theft

    This worm steals CD keys of the following games:

    • Battlefield 1942
    • Battlefield 1942 Secret Weapons of WWII
    • Battlefield 1942 The Road To Rome
    • Battlefield 1942 Vietnam
    • Black and White
    • Call of Duty
    • Command and Conquer: Generals
    • Command and Conquer: Generals: Zero Hour
    • Command and Conquer: Red Alert2
    • Command and Conquer: Tiberian Sun
    • Counter-Strike
    • FIFA 2002
    • FIFA 2003
    • Freedom Force
    • Global Operations
    • Gunman Chronicles
    • Half-Life
    • Hidden and Dangerous 2
    • IGI2: Covert Strike
    • Industry Giant 2
    • James Bond 007 Nightfire
    • Medal of Honor Allied Assault
    • Medal of Honor Allied Assault Breakthrough
    • Medal of Honor Allied Assault Spearhead
    • Nascar Racing 2002
    • Nascar Racing 2003
    • Need For Speed Hot Pursuit 2
    • Need For Speed Underground
    • Neverwinter Nights
    • NHL 2002
    • NHL 2003
    • Ravenshield
    • Shogun Total War - Warlord Edition
    • Soldier of Fortune II - Double Helix
    • Soldiers Of Anarchy
    • The Gladiators
    • Unreal Tournament 2003
    • Unreal Tournament 2004

    It also steals Windows Product ID, AOL screen name and email address from Windows Address Book (WAB) of the infected system.

    Antivirus Retaliation

    This worm terminates the following antivirus and firewall processes:

    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE
    • ACKWIN32.EXE
    • ADAWARE.EXE
    • ADSPIDER.EXE
    • ADVXDWIN.EXE
    • AGENTSVR.EXE
    • AGENTW.EXE
    • ALERTSVC.EXE
    • ALEVIR.EXE
    • ALOGSERV.EXE
    • AMON9X.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • APVXDWIN.EXE
    • ARR.EXE
    • ASCLT.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • AU.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AUTO-PROTECT.NAV80TRY.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVCONSOL.EXE
    • AVE32.EXE
    • AVGCC32.EXE
    • AVGCTRL.EXE
    • AVGNT.EXE
    • AVGSERV.EXE
    • AVGSERV9.EXE
    • AVGUARD.EXE
    • AVGW.EXE
    • AVKPOP.EXE
    • AVKSERV.EXE
    • AVKSERVICE.EXE
    • AVKWCTl9.EXE
    • AVLTMAIN.EXE
    • AVNT.EXE
    • AVP.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPDOS32.EXE
    • AVPM.EXE
    • AVPTC32.EXE
    • AVPUPD.EXE
    • AVSCHED32.EXE
    • AVSYNMGR.EXE
    • AVWIN95.EXE
    • AVWINNT.EXE
    • AVWUPD.EXE
    • AVWUPD32.EXE
    • AVWUPSRV.EXE
    • AVXMONITOR9X.EXE
    • AVXMONITORNT.EXE
    • AVXQUAR.EXE
    • BACKWEB.EXE
    • BARGAINS.EXE
    • BD_PROFESSIONAL.EXE
    • BEAGLE.EXE
    • BELT.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • BLSS.EXE
    • BM98BODY.EXE
    • BOOTCONF.EXE
    • BOOTWARN.EXE
    • BORG2.EXE
    • BPC.EXE
    • BRASIL.EXE
    • BS120.EXE
    • BUNDLE.EXE
    • BVT.EXE
    • CCAPP.EXE
    • CCEVTMGR.EXE
    • CCINFO.EXE
    • CCPXYSVC.EXE
    • CDP.EXE
    • CFD.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • Claw95.EXE
    • CLAW95CF.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • CLEANPC.EXE
    • CLICK.EXE
    • CMD32.EXE
    • CMESYS.EXE
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CONF.EXE
    • CONNECTIONMONITOR.EXE
    • CPD.EXE
    • CPF9X206.EXE
    • CPFNT206.EXE
    • CSRS32.EXE
    • CTRL.EXE
    • CV.EXE
    • CWNB181.EXE
    • CWNTDWMO.EXE
    • D3DUPDATE.EXE
    • DATEMANAGER.EXE
    • DCOMX.EXE
    • DEFALERT.EXE
    • DEFSCANGUI.EXE
    • DEFWATCH.EXE
    • DEPUTY.EXE
    • DIVX.EXE
    • DL32.EXE
    • DLLCACHE.EXE
    • DLLREG.EXE
    • DNTUS26.EXE
    • DOORS.EXE
    • DPF.EXE
    • DPFSETUP.EXE
    • DPPS2.EXE
    • DRWATSON.EXE
    • DRWEB32.EXE
    • DRWEBUPW.EXE
    • DSSAGENT.EXE
    • DVP95.EXE
    • DVP95_0.EXE
    • ECENGINE.EXE
    • EFPEADM.EXE
    • EMSW.EXE
    • ENT.EXE
    • ESAFE.EXE
    • ESCANH95.EXE
    • ESCANHNT.EXE
    • ESCANV95.EXE
    • ESPWATCH.EXE
    • ETHEREAL.EXE
    • ETRUSTCIPE.EXE
    • EVPN.EXE
    • EXANTIVIRUS-CNET.EXE
    • EXE.AVXW.EXE
    • EXPERT.EXE
    • EXPL.EXE
    • EXPLORE.EXE
    • EXPLORED.EXE
    • F-AGNT95.EXE
    • F-AGOBOT.EXE
    • FAMEH32.EXE
    • FAST.EXE
    • FCH32.EXE
    • FIH32.EXE
    • FINDVIRU.EXE
    • FIREDAEMON.EXE
    • FIREWALL.EXE
    • FLOWPROTECTOR.EXE
    • FNRB32.EXE
    • FPROT.EXE
    • F-PROT.EXE
    • F-PROT95.EXE
    • FP-WIN.EXE
    • FP-WIN_TRIAL.EXE
    • FRW.EXE
    • FSAA.EXE
    • FSAV.EXE
    • FSAV32.EXE
    • FSAV530STBYB.EXE
    • FSAV530WTBYB.EXE
    • FSAV95.EXE
    • FSGK32.EXE
    • FSM32.EXE
    • FSMA32.EXE
    • FSMB32.EXE
    • F-STOPW.EXE
    • FVPROTECT.EXE
    • GATOR.EXE
    • GBMENU.EXE
    • GBPOLL.EXE
    • GENERICS.EXE
    • GMT.EXE
    • GT.EXE
    • GUARD.EXE
    • GUARDDOG.EXE
    • HACKTRACERSETUP.EXE
    • HBINST.EXE
    • HBSRV.EXE
    • HIJACKTHIS.EXE
    • HOTACTIO.EXE
    • HOTPATCH.EXE
    • HTLOG.EXE
    • HTPATCH.EXE
    • HWPE.EXE
    • HXDEF370.EXE
    • HXDL.EXE
    • HXIUL.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • IAMSTATS.EXE
    • IBMASN.EXE
    • IBMAVSP.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IDLE.EXE
    • IEDLL.EXE
    • IEDRIVER.EXE
    • IEXPLORER.EXE
    • IFACE.EXE
    • IFW2000.EXE
    • INETLNFO.EXE
    • INFUS.EXE
    • INFWIN.EXE
    • INIT.EXE
    • INTDEL.EXE
    • INTREN.EXE
    • IOMON98.EXE
    • IPARMOR.EXE
    • IPBIND.EXE
    • IPCONFIG.EXE
    • IRIS.EXE
    • IROFFER.EXE
    • ISASS.EXE
    • ISRV95.EXE
    • ISTSVC.EXE
    • IXPLORES.EXE
    • JAMMER.EXE
    • JDBGMRG.EXE
    • JEDI.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KAVPF.EXE
    • KAZZA.EXE
    • KEENVALUE.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KERNEL32.EXE
    • KILLPROCESSSETUP161.EXE
    • LAUNCHER.EXE
    • LDNETMON.EXE
    • LDPRO.EXE
    • LDPROMENU.EXE
    • LDSCAN.EXE
    • LNETINFO.EXE
    • LOADER.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • LOOKOUT.EXE
    • LORDPE.EXE
    • LSETUP.EXE
    • LUALL.EXE
    • LUAU.EXE
    • LUCOMSERVER.EXE
    • LUINIT.EXE
    • LUSPT.EXE
    • MAPISVC32.EXE
    • MCAGENT.EXE
    • MCMNHDLR.EXE
    • MCSHIELD.EXE
    • MCTOOL.EXE
    • MCUPDATE.EXE
    • MCVSRTE.EXE
    • MCVSSHLD.EXE
    • MD.EXE
    • MEP#####.TMP.EXE
    • METALROCK-IS-GAY.EXE
    • MFIN32.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGAVRTCL.EXE
    • MGAVRTE.EXE
    • MGHTML.EXE
    • MGNWIN32.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MMOD.EXE
    • MONITOR.EXE
    • MONSVCNT.EXE
    • MOOLIVE.EXE
    • MOSTAT.EXE
    • MPFAGENT.EXE
    • MPFSERVICE.EXE
    • MPFTRAY.EXE
    • MRFLUX.EXE
    • MSAPP.EXE
    • MSBB.EXE
    • MSBLAST.EXE
    • MSCACHE.EXE
    • MSCCN32.EXE
    • MSCMAN.EXE
    • MSCONFIG.EXE
    • MSDM.EXE
    • MSDN.EXE
    • MSDOS.EXE
    • MSGFIX.EXE
    • MSIEXEC16.EXE
    • MSINFO32.EXE
    • MSLAUGH.EXE
    • MSMGT.EXE
    • MSMSGRI32.EXE
    • MSNGER32.EXE
    • MSNGRT.EXE
    • MSSMMC32.EXE
    • MSSYS.EXE
    • MSVB32.EXE
    • MSVD32.EXE
    • MSVXD.EXE
    • MU0311AD.EXE
    • MWATCH.EXE
    • N32SCANW.EXE
    • NAV.EXE
    • NAVAP.NAVAPSVC.EXE
    • NAVAPSVC.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVENGNAVEX15.NAVLU32.EXE
    • NAVLU32.EXE
    • NAVNT.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • NAVWNT.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NEOWATCHLOG.EXE
    • NETARMOR.EXE
    • NETCLIENT.EXE
    • NETD32.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSTAT.EXE
    • NETUTILS.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NOD32.EXE
    • NORMIST.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NOTSTART.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • NPSCHECK.EXE
    • NPSSVC.EXE
    • NSCHED32.EXE
    • NSSYS32.EXE
    • NSTASK32.EXE
    • NSUPDATE.EXE
    • NT.EXE
    • NTRTSCAN.EXE
    • NTSERVICE.EXE
    • NTSYSKRNL.EXE
    • NTVDM.EXE
    • NTXconfig.EXE
    • NUI.EXE
    • NUPGRADE.EXE
    • NVARCH16.EXE
    • NVC95.EXE
    • NVSVC32.EXE
    • NWINST4.EXE
    • NWSERVICE.EXE
    • NWTOOL16.EXE
    • OLEHELP.EXE
    • OLLYDBG.EXE
    • ONSRVR.EXE
    • OPTIMIZE.EXE
    • OSTRONET.EXE
    • OTFIX.EXE
    • OUTPOST.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • PATCH.EXE
    • PAVCL.EXE
    • PAVPROXY.EXE
    • PAVSCHED.EXE
    • PAVW.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • PCCNTMON.EXE
    • PCCWIN97.EXE
    • PCCWIN98.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • PCSCAN.EXE
    • PDSETUP.EXE
    • PEERER32.EXE
    • PENIS.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PERSWF.EXE
    • PF2.EXE
    • PFWADMIN.EXE
    • PGMONITR.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POP3TRAP.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PORTMONITOR.EXE
    • POWERSCAN.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PRIZESURFER.EXE
    • PRMT.EXE
    • PRMVR.EXE
    • PROCDUMP.EXE
    • PROCESSMONITOR.EXE
    • PROCEXPLORERV1.0.EXE
    • PROGRAMAUDITOR.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • PURGE.EXE
    • PUSSY.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • RAPAPP.EXE
    • RAV7.EXE
    • RAV7WIN.EXE
    • RAV8WIN32ENG.EXE
    • RAY.EXE
    • RB32.EXE
    • RCSYNC.EXE
    • REALMON.EXE
    • REGED.EXE
    • REGEDIT.EXE
    • REGEDT32.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCAN.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • RUN32DLL.EXE
    • RUNDLL.EXE
    • RUNDLL16.EXE
    • RUXDLL32.EXE
    • SAFEWEB.EXE
    • SAHAGENT.EXE
    • SAVE.EXE
    • SAVENOW.EXE
    • SBSERV.EXE
    • SC.EXE
    • SCAM32.EXE
    • SCAN32.EXE
    • SCAN95.EXE
    • SCANPM.EXE
    • SCCHOSTC.EXE
    • SCRSCAN.EXE
    • SCRSVR.EXE
    • SCVHOST.EXE
    • SD.EXE
    • SERV95.EXE
    • SERVICE.EXE
    • SERVLCE.EXE
    • SERVLCES.EXE
    • SERVUDAEMON.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SHOWBEHIND.EXE
    • SKYSRV.EXE
    • SMC.EXE
    • SMS.EXE
    • SMSS32.EXE
    • SMSSNT.EXE
    • SMSSV.EXE
    • SNDLOADER.EXE
    • SOAP.EXE
    • SOFI.EXE
    • SPERM.EXE
    • SPF.EXE
    • SPHINX.EXE
    • SPOLER.EXE
    • SPOOLCV.EXE
    • SPOOLSV32.EXE
    • SPYXX.EXE
    • SREXE.EXE
    • SRNG.EXE
    • SRVHOST.EXE
    • SS3EDIT.EXE
    • SSG_4104.EXE
    • SSGRATE.EXE
    • ST2.EXE
    • START.EXE
    • STCLOADER.EXE
    • SUPFTRL.EXE
    • SUPPORT.EXE
    • SUPPORTER5.EXE
    • SVC.EXE
    • SVCHOSTC.EXE
    • SVCHOSTS.EXE
    • SVRHOST.EXE
    • SVSHOST.EXE
    • SWEEP95.EXE
    • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
    • SYMPROXYSVC.EXE
    • SYMTRAY.EXE
    • SYSATSITE.EXE
    • SYSEDIT.EXE
    • SYSEXECHK.EXE
    • SYSEXPLR.EXE
    • SYSPOOL.EXE
    • SYSTEM.EXE
    • SYSTEM32.EXE
    • SYSUPD.EXE
    • TASKMG.EXE
    • TASKMO.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TBSCAN.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TDS-3.EXE
    • TEEKIDS.EXE
    • TFAK.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TPWRTRAY.EXE
    • TRACERT.EXE
    • TRICKLER.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • TSADBOT.EXE
    • TVFTPSRV.EXE
    • TVMD.EXE
    • TVMGR.EXE
    • TVTMD.EXE
    • UNDOBOOT.EXE
    • UPDAT.EXE
    • UPDATE.EXE
    • UPGRAD.EXE
    • UTPOST.EXE
    • VBCMSERV.EXE
    • VBCONS.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VET32.EXE
    • VET95.EXE
    • VETTRAY.EXE
    • VFSETUP.EXE
    • VIR-HELP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC32.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCAN40.EXE
    • VSCENU6.02D30.EXE
    • VSCHED.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WC11STA.EXE
    • WCMDMGR.EXE
    • WEBANTIVIRUSUPDATE.EXE
    • WEBDAV.EXE
    • WEBSCANX.EXE
    • WEBTRAP.EXE
    • WFINDV32.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • WIMMUN32.EXE
    • WIN32.EXE
    • WIN32US.EXE
    • WIN932.EXE
    • WINACTIVE.EXE
    • WINBOOT32.EXE
    • WIN-BUGSFIX.EXE
    • WINCE.EXE
    • WINCRT32.EXE
    • WINDOW.EXE
    • WINDOWS.EXE
    • WINFIX3.EXE
    • WININETD.EXE
    • WININIT.EXE
    • WININITX.EXE
    • WINLOGIN.EXE
    • WINMAIN.EXE
    • WINNET.EXE
    • WINNT32.EXE
    • WINPPR32.EXE
    • WINRECON.EXE
    • WINSECURE.EXE
    • WINSERVN.EXE
    • WINSRV.EXE
    • WINSSK32.EXE
    • WINSTART.EXE
    • WINSTART001.EXE
    • WINTSK32.EXE
    • WINUPDATE.EXE
    • WINUPDATER.EXE
    • WINUSER32.EXE
    • WINVNC.EXE
    • WIUPDATMGR.EXE
    • WKUFIND.EXE
    • WNAD.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WRCTRL.EXE
    • WSBGATE.EXE
    • WUAMGRD.EXE
    • WUAMGRD2.EXE
    • WUAPDP.EXE
    • WUPDATER.EXE
    • WUPDT.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE

    HOSTS File Modification

    This malware also modifies the HOSTS file, which contains host name to IP address mappings. It is usually located in the following folders:

    • %System%\drivers\etc
    • %Windows%

    (Note: %System% refers to the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

    It appends data to the said file to prevent the user from accessing any of the following antivirus and security-related Web sites:

    • avp.com
    • ca.com
    • customer.symantec.com
    • dispatch.mcafee.com
    • download.mcafee.com
    • f-secure.com
    • kaspersky.com
    • liveupdate.symantec.com
    • liveupdate.symantecliveupdate.com
    • mast.mcafee.com
    • mcafee.com
    • my-etrust.com
    • nai.com
    • networkassociates.com
    • rads.mcafee.com
    • secure.nai.com
    • securityresponse.symantec.com
    • sophos.com
    • symantec.com
    • trendmicro.com
    • update.symantec.com
    • updates.symantec.com
    • us.mcafee.com
    • viruslist.com
    • www.avp.com
    • www.ca.com
    • www.f-secure.com
    • www.grisoft.com
    • www.kaspersky.com
    • www.mcafee.com
    • www.my-etrust.com
    • www.nai.com
    • www.networkassociates.com
    • www.sophos.com
    • www.symantec.com
    • www.trendmicro.com
    • www.viruslist.com

    Trend Micro detects the modified HOSTS file as DOS_AGOBOT.GEN.

    Other Details

    This malware may delete the following files, which are usually related to other malware programs:

    • taskmon.exe
    • bbeagle.exe
    • d3dupdate.exe
    • winsys.exe
    • ssate.exe
    • i11r54n4.exe
    • rate.exe
    • irun4.exe
    
    
    

    Analysis by: Karmina Aquino


  • SOLUTION


    Minimum scan engine version needed: 6.500

    Pattern file needed: 1.886.57

    Pattern release date: May 6, 2004


    Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

    Solution:

    Identifying the Malware Program

    Before proceeding to remove this malware, first identify the malware program.

    Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_AGOBOT.SK. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    Restarting in Safe Mode

    Restarting your system in safe mode prevents the malware from running as a service and disables its autostart routine.

    � On Windows NT (VGA mode)

    1. Click Start>Settings>Control Panel.
    2. Double-click the System icon.
    3. Click the Startup/Shutdown tab.
    4. Set the Show List field to 10 seconds and click OK to save this change.
    5. Shut down and restart your computer.
    6. Select VGA mode from the startup menu.

    � On Windows 2000

    1. Restart your computer.
    2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
    3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    � On Windows XP

    1. Restart your computer.
    2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
    3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    Note: After performing all the solutions for the removal of this malware, please restart your system normally, and run your Trend Micro antivirus product.

    Terminating the Malware Program

    This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

    1. Open Windows Task Manager.
      On Windows 95/98/ME systems, press
      CTRL%20ALT%20DELETE
      On Windows NT/2000/XP systems, press
      CTRL%20SHIFT%20ESC, then click the Processes tab.
    2. In the list of running programs*, locate the malware file or files detected earlier.
    3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    4. Do the same for all detected malware files in the list of running processes.
    5. To check if the malware process has been terminated, close Task Manager, and then open it again.
    6. Close Task Manager.

    *NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    To remove the malware autostart entries:

    1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>
      Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the entry:
      vst="vstkmgr.exe"
    4. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
      CurrentVersion>RunServices
    5. In the right panel, locate and delete the entry or entries:
      vst="vstkmgr.exe"
    6. Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

    Applying Patches

    This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.

    Refrain from using the affected software until the appropriate patch has been installed.

    Additional Windows XP Cleaning Instructions

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.SK. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.