Virus Detail

Description

Back to top

Method of Infection

When first run, an Agobot will usually copy itself to the System directory. The file name is variable. It will also add registry entries to run this copy at Windows start, usually to these keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

For example, one variant observed "in the wild", copies itself to:

%System%\aim.exe

and adds these values to the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AOL Instant Messenger = "aim.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\AOL Instant Messenger = "aim.exe"

Note: '%System%' is a variable location. Agobot determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Back to top

Method of Distribution

Win32.Agobot variants are able to spread in a number of different ways. Propagation can be launched automatically, or manually triggered through backdoor control, depending on how the worm is configured. Not all variants use all of these mechanisms.

Via Network Shares

This is the most common method of spreading, used by virtually all Agobots. It attempts to connect to default administrative shares, such as admin$, C$, D$, E$ and print$, by guessing usernames and passwords that may have access to these shares.

The following are some common user names that Agobot tries:
Administrator
Administrateur
Coordinatore
Administrador
Verwalter
admin
administrator
Default
Convidado
mgmt
Standard
User
Administratör
administrador
Owner
user
server
Test
Guest

These are some passwords that Agobot often tries to use:
admin
Admin
password
Password
1
12
123
pass
passwd
database
abcd
oracle
sybase
server
computer
Internet
root
sex
god
foobar

Note: the above is only a partial list. It is important to use strong passwords, especially for accounts with administrator privileges.

If Agobot successfully copies itself to a remote machine, it then launches the copy. It can do this by creating a service, or scheduling a job on the remote system.

Agobot may scan for machines to infect via network shares by probing ports 139 and 445.

Via Exploits

Win32.Agobot can also spread by exploiting vulnerabilities in Windows operating systems, and third party applications. The support for different exploits has grown as Agobot has been developed; not all variants will use every one. This is a list of known vulnerabilities that Agobot may exploit:

1. CPanel Resetpass Remote Command Execution Vulnerability (TCP port 2082)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27586

2. Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975

3. Microsoft Windows RPC malformed message buffer overflow vulnerability (TCP ports 135, 445, 1025)
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25454 

4. DameWare Mini Remote Control Buffer Overflow (TCP port 6129)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=26843 

5. Microsoft Windows Locator service buffer overflow vulnerability (TCP port 445)
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=6999

6. Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (port 1433)
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=5705

7. Microsoft Universal Plug and Play (UPnP) NOTIFY directive buffer overflow and DoS vulnerabilities (TCP port 5000)
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=4520

8. Microsoft Windows ntdll.dll buffer overflow vulnerability (WebDav vulnerability) (TCP port 80)
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=7287

9. Microsoft Windows Workstation service malformed message buffer overflow vulnerability (TCP port 139. Also TCP port 4899 if Radmin is installed).
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=26580

10. Microsoft Windows LSASS buffer overflow vulnerability (ports 135, 445, 1025)
 http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=27886

In some cases, the worm also listens on a local port and instructs the exploited target machine to connect back to it, to retrieve the worm's executable file.

Via Other Malware

Some Agobot variants can also infect remote systems that are already infected with other malware:

 * Win32.Bagle (through its backdoor on TCP port 2745)
 * Win32.Mydoom (through its backdoor on TCP port 3127)

Back to top

Payload

Backdoor Functionality

Agobot's main function is to act as an IRC controlled backdoor. It attempts to connect to an IRC server from a pre-defined list and join a specific channel so that the victim's computer can be controlled.

Once the victim's computer is under control, the overseer is able to instruct Win32.Agobot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit. The backdoor can also be instructed to:

• download and execute files from the Internet
• retrieve system information such Operating System details
• execute local files
• perform DNS lookups

Process Termination

Win32.Agobot can also be configured to terminate processes related to antivirus and other security applications, for example:

AUTODOWN.EXE
VET95.EXE
VETTRAY.EXE
RESCUE.EXE
SCAN32.EXE
BLACKICE.EXE
ZONEALARM.EXE
ANTI-TROJAN.EXE

Modifies hosts file

Recent versions of Win32.Agobot add lines to the hosts file (usually found in %Windows%\hosts or %System%\drivers\etc\hosts), in order to redirect particular antivirus related domain names. For example:

127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com

These lines will cause the domains www.ca.com, ca.com, etc. to resolve to the local host, effectively denying access.

Analysis by Scott Molenkamp and Hamish O'Dea

Back to top