WORM_AGOBOT.XM

Malware type: Worm

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm arrives via network shares. To propagate, it uses NetBEUI functions to get available lists of user names and passwords from a system. It lists down available network shares and uses the gathered user names and passwords to access these shares and drop a copy of itself.

It also uses a list of user names and passwords apart from those that were gathered from the system. It also generates IP addresses and attempts to drop copies of itself in default shares of target systems.

It also exploits the following Windows vulnerabilities to propagate:

  • RPC/DCOM vulnerability
  • RPC Locator vulnerability
  • IIS/WebDAV vulnerability

More information on these vulnerabilities can be found in the following Web pages:

This worm has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot. It connects to an IRC server and then joins an IRC channel.

Once connected, this server program receives commands from the IRC bot. The bot inputs the commands in the IRC console and waits to receive information from the server. The said commands are used to control the target system and the behavior of the server program.

This worm is also capable of gathering CD keys from certain software. It also allows remote users to launch flood attacks from infected machines against a target site.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Sep. 24, 2004 12:58:27 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 96, 768 Bytes

Initial samples received on: Sep 22, 2004

Payload 1: Compromises system security

Payload 2: Launches DoS attacks

Payload 3: Steals CD keys

Details:

Arrival and Installation

This worm arrives via network shares. Upon execution, it drops a copy of itself in the Windows system folder as VPC32.EXE.

To ensure its automatic execution at every Windows startup, it creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Update = "VPC32.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Update = "VPC32.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Microsoft Update = "VPC32.EXE"

The last registry entry also ensures that it runs as a service process in NT-based Windows (NT, 2000, and XP).

Propagation and Exploits

This worm spreads via network shares. It uses NetBEUI functions to get available lists of user names and passwords from a system. It lists down available network shares and uses the gathered user names and passwords to access these shares and drop copies of itself.

It also uses the following list of user names and passwords apart from those that were gathered from the system:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • accounting
  • accounts
  • admin
  • admin
  • administrador
  • administrador
  • administrat
  • administrat
  • administrateur
  • administrateur
  • administrator
  • administrator
  • admins
  • admins
  • backup
  • bitch
  • blank
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • default
  • domain
  • domainpass
  • domainpassword
  • exchange
  • george
  • guest
  • guest
  • hello
  • homeuser
  • internet
  • internet
  • intranet
  • katie
  • linux
  • login
  • loginpass
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • oracle
  • orainstall
  • outlook
  • owner
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • peter
  • qwerty
  • server
  • siemens
  • sqlpassoainstall
  • staff
  • staff
  • student
  • student
  • susan
  • system
  • teacher
  • teacher
  • technical
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • wwwadmin

It also generates IP addresses and attempts to drop copies of itself in the following default shares of target systems:

  • ADMIN$
  • C$
  • IPC$

This worm remotely executes every successfully dropped copy of itself as a service.

This worm also exploits the following Windows vulnerabilities to propagate:

  • RPC/DCOM vulnerability

This vulnerability allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

  • RPC Locator vulnerability

This allows an attacker to execute codes on a target machine by sending a malformed packet request to the Locator service. The port related to this exploit is TCP port 445.

  • IIS/WebDAV vulnerability

This vulnerability enables arbitrary codes to execute on the WebDAV server by also sending a malformed request packet. This exploit is a service related to the HTTP on port 80.

More information on these vulnerabilities can be found in the following Web pages:

Backdoor Capabilities

This worm acts as a server program controlled by an Internet Relay Chat (IRC) bot. It connects to an IRC server and then joins an IRC channel.

Once connected, this server program receives commands from the IRC bot. The bot inputs the commands in the IRC console and waits to receive information from the server. The said commands are used to control the target system and the behavior of the server program. These commands are basically categorized as follows:

  • Bot commands (used to control the server program)
    • Display the information about the bot
    • Terminate the bot
    • Resolve IP/hostname by DNS
    • Make the bot execute a .EXE file
    • Display the bot version or ID
    • Change the nickname of the bot
    • Open any file that is a registered file type
    • Completely remove the bot from the system
    • Remove a bot using a specific bot ID
    • Assign a new random nickname to the bot
    • Cause the bot to display its status
    • Cause the bot to display system information
    • Cause the bot to quit IRC and terminate itself
    • Repeat a command for a specified number of times

  • Command Manager commands (used to control commands)
    • Display the list of commands

  • CVAR commands (used to control the IRC CVAR, which refers to IRC default variables that allows users to change settings)
    • List Cvars
    • Display the value of a Cvar
    • Set the value of a Cvar

  • IRC commands (used to control the behavior of the IRC application)
    • Make the bot send an action message to the channel
    • Make the bot reply the network information if the hostname contains the string .edu
    • Make the bot reply the network information if the hostname contains a specified string
    • Make the bot join an IRC channel
    • Make the bot part an IRC channel
    • Cause the bot to display network information
    • Send a private message to the target
    • Make the bot quit from IRC
    • Make the bot send a raw string to the IRC server
    • Make the bot reconnect to IRC
    • Make the bot change the server Cvars
    • Make the bot change IRC modes

  • Mac commands (used by the bot to connect to its server component using a bot user)
    • Log on a user to the bot
    • Log off a user from the bot

  • Redirect commands (used by the bot to control the traffic that passes to the infected system)
    • Redirect a TCP port to another host
    • Redirect GRE traffic that results to proxy PPTP VPN connections
    • Stop all redirects

  • Downloader commands (used to download and execute files from a specific protocol)
    • Make the bot download a file from an FTP site to a specified local folder
    • Make the bot download and execute a file from an FTP site on a specified local folder
    • Make the bot download a file from FTP to a specified local folder and update it if the files are different
    • Make the bot download a file from HTTP site to a specified local folder
    • Make the bot download and execute a file from HTTP site on a specified local folder
    • Make the bot download a file from HTTP to a specified local folder and update it if the files are different

Information Theft

This worm is also capable of gathering CD keys from the following software:

  • Battlefield 1942
  • Black and White
  • Command & Conquer Generals
  • Counter-Strike
  • FIFA 2003
  • Freedom Force
  • Half-Life
  • James Bond 007 Nightfire
  • Medal of Honor
  • Need For Speed Hot Pursuit 2
  • Neverwinter
  • NFSHP2
  • Project IGI 2
  • Rainbow Six III RavenShield
  • Soldier of Fortune II
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003

Denial of Service Attack

This worm allows remote users to launch the following types of flood attacks from infected machines against a target site:

  • HTTP flood
  • PING flood
  • SYN flood
  • UDP flood



Analysis by: Marvin Cruz


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.177.25

Pattern release date: Sep 22, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_AGOBOT.XM.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft Update = "VPC32.EXE"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Microsoft Update = "VPC32.EXE"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    Microsoft Update = "VPC32.EXE"
  8. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.XM. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the fix patches from the following Web pages:

Trend Micro advises users to download critical patches upon release by vendors.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.