WORM_AGOBOT.YP

Malware type: Worm

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • IIS5/WEBDAV Buffer Overflow vulnerability
  • RPC Locator Vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

It attempts to log into systems using a list of user names and passwords. This worm then drops a copy of itself in accessed machines.

It also terminates antivirus-related processes and dropped files by other malware. This worm steals CD keys of certain game applications, then sends gathered data to a remote user via mIRC, a chat application. It also has backdoor capabilities and may execute remote commands in the host machine.

It runs on Windows NT, 2000 and XP.

For additional information about this threat, see:

Description created: Jun. 2, 2004 3:25:26 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 207,872 Bytes

Initial samples received on: Jun 2, 2004

Details:
Installation and Autostart Technique

Upon execution, this worm drops a copy of itself as the following files in the Windows system folder:

    MSCFG12.EXE

(Note: The Windows system folder is usually C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP.)

It adds any of the following registry entries, which enable this malware to run automatically at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
MS Config v12 = "mscfg12.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\RunServices
MS Config v12 = "mscfg12.exe"

Exploits

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows XP systems, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

Read more on this vulnerability from the following link:

This worm looks for vulnerable Windows XP machines on the network by scanning for random TCP/IP addresses on port 135.

It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445.

More information on this vulnerability is available from the following Microsoft page:

This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

The following link offers more information from Microsoft about this vulnerability:

Network Share Propagation

This worm attempts to propagate to the following folders in the network:

If these folders have full access rights, it attempts to copy itself to these network shares. However, if these shared folders have restricted access rights, the worm attempts force its way into the system by logging in using the following user names and passwords:

  • 000000
  • 00000000
  • 7
  • 12
  • 110
  • 111
  • 123
  • 1234
  • 2002
  • 2600
  • 12345
  • 54321
  • 111111
  • 121212
  • 123123
  • 123456
  • 654321
  • 1234567
  • 11111111
  • 12345678
  • 88888888
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • aaa
  • abc
  • abcd
  • Admin
  • admin
  • Administrador
  • Administrateur
  • administrator
  • Administrator
  • alpha
  • asdf
  • computer
  • Convidado
  • Coordinatore
  • database
  • Default
  • Dell
  • enable
  • foobar
  • Gast
  • god
  • godblessyou
  • Guest
  • home
  • ihavenopass
  • Internet
  • Inviter
  • Login
  • love
  • mgmt
  • mypass
  • mypc
  • netbios
  • oracle
  • Ospite
  • owner
  • Owner
  • pass
  • passwd
  • Password
  • password
  • pat
  • patrick
  • pc
  • pwd
  • qwer
  • root
  • secret
  • server
  • sex
  • Standard
  • super
  • sybase
  • temp
  • Test
  • User
  • Verwalter
  • win
  • xp
  • xxx
  • xyz
  • yxcv
  • zxcv

When the logon attempt is successful, this worm then copies and executes itself on the system.

Backdoor Capabilities

The malware acts as an IRC bot has backdoor capabilities, such as stealing CD Keys and sending them to the malicious user. It engages in port scanning activities in order to connect with the malware author. Moreover, it uses Secure Socket Layer (SSL) so that it can encrypt the packets that it sends to avoid detection.

This malware is capable of performing the following routines on a target system:

Information Theft

This worm steals CD keys of the following game applications:

  • Battlefield 1942
  • Battlefield 1942 Secret Weapons of WWII
  • Battlefield 1942 The Road to Rome
  • Command & Conquer Generals
  • Counter-Strike
  • FIFA 2002
  • FIFA 2003
  • Half-Life
  • Hidden and Dangerous 2
  • LoMaM
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Neverwinter
  • NHL 2002
  • NHL 2003
  • Red Alert 2
  • Soldier of Fortune II - Double Helix
  • Tiberian Sun

Antivirus Retaliation

This worm terminates the following antivirus and firewall processes:

  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • ACKWIN32.EXE
  • ANTI-TROJAN.EXE
  • APVXDWIN.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCTRL.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVWIN95.EXE
  • AVWUPD32.EXE
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • F-AGNT95.EXE
  • FINDVIRU.EXE
  • F-PROT.EXE
  • FPROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FRW.EXE
  • F-STOPW.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • JEDI.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • N32SCANW.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NUPGRADE.EXE
  • NVC95.EXE
  • OUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RESCUE.EXE
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SWEEP95.EXE
  • TBSCAN.EXE
  • TCA.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VSCAN40.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WFINDV32.EXE
  • ZONEALARM.EXE

This worm also terminates the following processes, if they exist:

  • winhlpp32.exe
  • tftpd.exe
  • dllhost.exe
  • winppr32.exe
  • mspatch.exe
  • penis32.exe
  • msblast.exe

Denial of Service Attack

This worm also enables a malicious user to perform flood attacks on any Web site of the remote user�s choice. However, the following are excempted from this routine:

  • harr0.com
  • www.harr0.com
  • ryan1918.com
  • www.ryan1918.com



Analysis by: Christine Bejerasco


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 900

Pattern release date: Jun 2, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_AGOBOT.YP.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s free online virus scanner.

Restarting in Safe Mode

� On Windows NT (VGA mode)

  1. Click Start>Settings>Control Panel.
  2. Double-click the System icon.
  3. Click the Startup/Shutdown tab.
  4. Set the Show List field to 10 seconds and click OK to save this change.
  5. Shut down and restart your computer.
  6. Select VGA mode from the startup menu.

� On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

� On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Note: After performing all the solutions for the removal of this malware, please restart your system normally, and run your Trend Micro antivirus product.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    MS Config v12 = "mscfg12.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
    CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry or entries:
    MS Config v12 = "mscfg12.exe"
  6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as WORM_AGOBOT.YP. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.

Applying Patches

This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.

Refrain from using the affected software until the appropriate patch has been installed.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.