WORM_AGOBOT.UV

Malware type: Worm

In the wild: No

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: Yes

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident malware has both worm and backdoor capabilities.

Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities to propagate across networks:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It drops itself as the file MICROSOFT.EXE in the Windows system folder and attempts to log into systems using a list of passwords.

It attempts to connect to an Internet Relay Chat (IRC) server and joins a specific IRC channel using a random nickname. Upon establishing connection, this malware allows a remote user to execute malicious commands on the infected system.

It also steals CD keys of certain game applications and allows the malicious user to launch Denial of Service attacks against a target site.

This UPX-compressed malware runs on Windows NT, 2000, and XP.

For additional information about this threat, see:

Description created: Feb. 10, 2004 1:18:47 AM GMT -0800
Description updated: Feb. 10, 2004 1:18:45 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 47,104 Bytes

Initial samples received on: Feb 10, 2004

Payload 1: Compromises system security

Trigger condition 1: Upon execution

Details:

Installation and Autostart Techniques

This memory-resident worm drops a copy of itself as the file MICROSOFT.EXE in the Windows system folder.

To enable its automatic execution at every system startup, it creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Executing = "microsoft.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Microsoft Executing = "microsoft.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
Microsoft Executing = "microsoft.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Executing = "microsoft.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Runonce
Microsoft Executing = "microsoft.exe"

Network Propagation and Exploits

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

This malware looks for vulnerable machines on the network by scanning for random TCP/IP addresses on port 135.

It further uses the RPC Locator vulnerability which affects Windows NT and searches for vulnerable machines on the network by incrementally scanning TCP/IP addresses on port 445.

More information on this vulnerability is available from the following Microsoft page:

This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT, which enables arbitrary codes to execute on the server.

The following link offers more information from Microsoft about this vulnerability:

When it finds a vulnerable target machine, it copies and executes itself on the system.

It also searches for the following network shares:

  • admin$
  • ipc$
  • c$=e:
  • d$=d:
  • e$=c:

If these folders have full access rights, this malware copies itself to the said network shares. However, if these shared folders have restricted access rights, it accesses the system by logging on using the following passwords contained within its code:

  • 12346
  • 123467
  • 1234678
  • 12346789
  • 123467890
  • access
  • accounting
  • accounts
  • admin
  • administrator
  • backup
  • barbara
  • blank
  • brian
  • bruce
  • capitol
  • changeme
  • cisco
  • compaq
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • domain
  • domainpass
  • domainpassword
  • exchange
  • exchnge
  • frank
  • freddy
  • george
  • guest
  • headoffice
  • heaven
  • homeuser
  • internet
  • internet
  • intranet
  • katie
  • login
  • loginpass
  • nokia
  • oeminstall
  • oemuser
  • office
  • orange
  • outlook
  • pass1234
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • peter
  • qwerty
  • server
  • Server
  • siemens
  • spencer
  • sqlpass
  • staff
  • student
  • student1
  • support
  • susan
  • system
  • teacher
  • technical
  • turnip
  • user1
  • user1
  • userpassword
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • yellow

Backdoor Capabilities

This worm also has backdoor capabilities.

It connects to an Internet Relay Chat (IRC) and then joins a certain IRC channel where it listens for commands from a remote user.

It acts as a bot that responds to private messages with specific keyword triggers; thus, allowing a remote user to access the infected system. The following are the keyword triggers and the corresponding actions:

  • Disable network shares
  • Resolve IP or host name by DNS
  • Execute a .EXE file
  • Open a file
  • Obtain system information, such as:
    • CPU speed
    • Memory size
    • Windows platform, build version, and product ID
    • Malware uptime
    • Current user
  • Flush DNS cache
  • Disable DCOM
  • Disconnect or reconnect from IRC server
  • Change IRC server
  • Join or leave an IRC channel
  • Send a private message through IRC
  • Update itself via HTTP or FTP
  • Download and execute a file from an HTTP or FTP server
  • Restart or shut down machine
  • Log off current user
  • List all running processes
  • Kill a process

Information Theft

This worm is capable of stealing CD keys from the following popular games:

  • Battle Field 1942
  • Battle Field 1942 Road to Rome
  • Command and Conquer Generals
  • Counter-Strike
  • FIFA 2003
  • Half-Life
  • Need for Speed Hot Pursuit 2
  • Neverwinter Night
  • Rainbow Six III RavenShield
  • Soldier of Fortune II Double Helix
  • Unreal Tournament 2003

Denial of Service

This malware allows malicious users to launch the following types of flood attacks against a target site:

  • HTTP flood
  • SYN flood
  • UDP flood
  • ICMP flood


Analysis by: Crescencio F. Reyes


SOLUTION


Minimum scan engine version needed: 5.600

Pattern file needed: 1.759.00

Pattern release date: Feb 10, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_AGOBOT.UV. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft Executing = "microsoft.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
    CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Microsoft Executing = "microsoft.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunOnce
  7. In the right panel, locate and delete the entry:
    Microsoft Executing = "microsoft.exe"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Runonce
  9. In the right panel, locate and delete the entry:
    Microsoft Executing = "microsoft.exe"
  10. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  11. In the right panel, locate and delete the entry:
    Microsoft Executing = "microsoft.exe"

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Locating a Malware File

  1. Right-click Start then click Search� or Find� depending on your version of Windows.
  2. In the Named input box, type:
    %System%\microsoft.exe
  3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.UV. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities on certain platforms. Download and install the critical pathes from the following links:




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.