worm agobot.pu

Discussion in 'WormGuard' started by classico, Mar 11, 2004.

Thread Status:
Not open for further replies.
  1. classico

    classico Guest

    anybody encountered the agobot.pu worm.
    I am fighting back by all means but cannot find any proper solution.
    Got some advice from trend micro whose freescan helped discover it.
    I do not think that wormguard will coupe wih such a worm. I had norton the first thing i knew was that it took over it and shut down.
    at the moment I am running double anti virus programs double firewalls double anti spy etc.
    Any suggestions!!!!

    Many of the recommended free downsloads on the wilder site will be closed by this worm and become null and void. :oops:
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi classico, TDS3 may be a better bet as agobot is a DDos RAT (Remote Access Trojan) It attempts to terminate many AVs and firewalls but not TDS3 as far as I know.
    TDS3 has many versions of thus RAT in it's Database, you can get the trial version here: http://tds.diamondcs.com.au/index.php?page=download
    Once TDS has detected the file it should give you the option to delete it.

    Hope this helps:

    If you can catch this RAT and zip it up please send it to submit@diamoncs.com.au
     
  3. Classico

    Classico Guest

    Thank yuo for the tip. I shall try to zip it if caught. :oops:
     
  4. classico

    classico Guest

    Hi pilli,
    I could not zip it. But the scans gave mig 4 alarms of a filewith the same description.
    Suspisious filename Dual extension C:\windows\bwunin.6.1.0.153.exe
    kindly note that the dot between n and 6 was slightly higher than the others.
    Many thanks :)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you can't zip it change name by adding .tmp behind it, so it can't run.
    And try to attach to an email then. BTW: in the alarms console , rightclick on the file and press submit so it will be send away to Gavin.
    Dual extensions in this case is not necessarily suspicious; it would more be with file.txt ..................exe for example of an unknown thing.
    Was the file recently on your system, any idea what it is, when you rightclick on it can you see what it is?
     
  6. classico

    classico Guest

    Hi,
    I have been fighting this worm for a week, those who alereted me were the microtrend.com through their free scan.
    However, the files I metioned were the files that I had to delete to get rid of this viscious worm to see a list of what it could do look at the trendmicro.com, site (echnical description).
    This viscious worm from which I got rid is a real menace and I understand several worms working according to the same principle are on the way.
    I STRONGLY RECOMMEND THE DIAMONDCS website and the TDS-3 program. IT SAVED ME AND MY COMPUTER.
    BEST REGARDS;
    CLASSICO :)
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks classico, Remeber to keep your radius file updated, with the trial you have to DL the file and put it in your main TDS3 folder:
    http://tds.diamondcs.com.au/index.php?page=update

    Run a right click scan on every download and do a regular scan with all scan options enabled on your hard drives, this can take a while and it is best to disable your AV & other programmes whilst doing the scan.

    HTH Pilli
     
  8. Classico

    Classico Guest

    Hi Pilli and Jooske!
    I ran a simulated trojan attack scan on my computer and the results were not encouraging.
    Trojan 5000 open Backdoor, Setup, Sockets de Trois
    Trojan 9400 open In Command
    Trojan 12345 Net Bus, Pie Bill Gates, X-File
    Trojan 20034 Net Bus 2 pro
    Am I using the tds in the wrog manner any comments
    Best regards, :rolleyes:
    Classico
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you have the sockets listening in TDS upper right corner? Meaning you have TDS listening on those sockets so of course they aer in use, but with your security program.
    Anyway, that's a discussion for the TDS forum.

    That site can tell me to delete things, but i first hunt for the originals, zip and submit them to submit@diamondcs.com.au before deleting them, reason why i never set such online scans on auto-cleaning, always want to look myself first before i would allow it to delete and cleanse out anything, for the risk of false positives.
     
  10. dragos

    dragos Guest

    I STRONGLY RECOMMEND THE DIAMONDCS website and the TDS-3 program. IT SAVED ME AND MY COMPUTER.
    BEST REGARDS;
    CLASSICO :)
    But the scans gave mig 4 alarms of a filewith the same description.
    Suspisious filename Dual extension C:\windows\bwunin.6.1.0.153.exe
    kindly note that the dot between n and 6 was slightly higher than the others.



    I have the same problem like you and I cannot understand why it was usefull for you TDS-3. I have like you AGOBOT.PU and TDS-3 found 4 alarms, one of them bwunin.6.1.0.153.exe.
    What conexion is it between AGOBOT and bwuin. Ididn't find AGOBOT with TDS-3. So, if you didn't find AGOBOT with TDS-3 how did you clean it?

    Dragos
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you zip the files and submitted to TDS submit@diamondcs.com.au or with pressing the submit option in the alerts menu?
    Double extensions in general are not the largest problem, but positive or suspicious identifications.
    How where they detected for you?
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    There are many many variants of Agobot, since it is open source. A Process Memory scan would be the best chance of catching a new variant.

    If you know the filename, PLEASE DO send it in soon for analysis so we can help remove it and have another sample for broader family detection I am adding (this is very hard however, need lots of samples). You should be able to remove it manually by finding the registry startup for it, or just deleting the file in safe mode first
     
  13. Classico

    Classico Guest

    To Dragos!
    I deleted all four files and that was that. End of agobot.
    good luck! I do not think it helps to delete only one file.
    Classico
     
  14. Madadd

    Madadd Guest

    i have this agobot thing and cant get rid of it how can i ?
    i downloaded the trojan program and it just shut it down
    can anybody help me?
    thanks
    madadd
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Madadd start reading this thread, will it give some ideas what to do?
     
  16. Madadd

    Madadd Guest

    i have read this thread i am not fermilier with computers can u help me
    Madadd o_O
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In this thread is told to get TDS-3 from the DiamondCS site www.diamondcs.com.au
    Install TDS-3
    go back to that TDS site and get the latest update of the radius file and put that in the TDS directory.
    Reboot system, if you had not done so after installing TDS.
    After reboot start TDS
    go to TDS > System Testing > Scan control
    click all the options there are on both tabs for your configuration.
    OK
    Before you go to the next step close the other antivirus programs and all applications you don't need at the moment, but things like WormGuard and email and internet connection and Port Explorer etc you can keep up (and your firewall of course) but for the rest close as much as possible, giving TDS as much space for this heavy scan as possible.
    Again go to System Testing > Full System Scan
    and now go drink a coffee or do something useful away from the system as this can take a while.
    In the end you will see in the bottom console of TDS some alerts.
    Now we want to know which alerts these are.
    So rightclick on one of those alerts and you will see a little menu, of which you choose "save as text" and you choose that option, after it will ask if you want to see that and choose Yes
    now that is an ordinary notepad thing so you can select all there is, and copy and paste that into your next posting here.
    Please keep that alerts window open if possible so we can advice with your posting what to do.
    When that Full System Scan is finished you can start your other scanners again and other things you like to do like posting here!

    Looking forward to your scan results.
    But do read this thread here from the first posting till everything written here already as these postings contain helpful information.
     
  18. classico

    classico Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    3
    Hi,
    I have had the opportunity of running an online scan (free) at microtrend.com which can be helpful in checking the agabot . Further, Symantec has a worm called W32.gaobot.UM which is like the agabot, it establishs itself through the same files. They have a removal tool with the same name at the site www.symantec.com
    However, I would like to make it clear that I managed to clear it with the TDS3 and one has to delete all files that the scan points to even if they have the same name.
    I think one should down load the program on a CD from another computer if one is unable to down load on line or running it. Try to install it in safe mode(I do not know if one can install anything in safe mode!!!! MAY BE YOU GUYS CAN HAVE A BETTER OPTION!!! Or OPINION ON THIS.
    BEST REGARDS,
    Classico
     
  19. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Try renaming TDS-3.EXE to TDS.EXE or something else, then you should be able to run it and kill the trojan. I recommend you post your ASViewer log so we can suggest what files might be the trojan

    http://www.diamondcs.com.au/index.php?page=asviewer

    Please turn on the options to show all autostarts (press F2 F3 F4) then SAVE and attach the text file here, we will look for suspicious startups. Please also email the text file to support@diamondcs.com.au
     
  20. Nameless77

    Nameless77 Guest

    Hi guys. I have the agobot and i've followed all the instructions in this thread and nothing has helped. The agobot detects the TDA-3 scanner and shuts it down even after I renamed the exe. Someone help?
     
  21. Nameless77

    Nameless77 Guest

    btw my virus was named Worm/Agobot.14.B
     
  22. Nameless77

    Nameless77 Guest

    Just emailed my asviewer to that email addy.
     
  23. Nameless77

    Nameless77 Guest


    The strangest thing just happened. I restarted my computer and it got to the Welcome to Windows screne then it restarted itself again and again. It must have done this 5 times. Then, when it finally loaded all the way, i was only running 20 processes (usually 22 or higher) and my virus scanners were working. I ran several scanners and reinstalled TDS-3 and when it rebooted for the TDS-3.. the virus scanners and TDS-3 were not working agian... they were being shut down like always.
     
  24. poogimmal

    poogimmal Registered Member

    Joined:
    May 7, 2004
    Posts:
    79
    this may or may not be relevant, but recently on GRC security news groups (& probably other places) it was mentioned that trendmicro online scanner had been compromised. not enterly clear if you were merely alerted or if that's where you caught it. you might want to think twice about opening your box to online scanners. if my info is incorrect sorry, I was just skimming past those grc posts as I have not used online scanners for long time.
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Nameless did you get answer from support and did it help?
    If not your email might have got lost in the stream of spam and it's worth resending or posting it here or the HijackThis log in the HJT forum here.
     
Thread Status:
Not open for further replies.