WORM_AGOBOT.AZ

WORM_AGOBOT.AZ is currently spreading in-the-wild. This non-destructive memory-resident worm exploits certain vulnerabilities to propagate across networks. Like earlier AGOBOT variants, this variant takes advantage of three Windows vulnerabilities, and also uses a long list of passwords to access and propagate into remote machines with weak passwords. This worm functions as a backdoor program and allows malicious users to access infected machines via IRC (Internet Relay Chat). It serves as a bot, waiting for commands from remote users. It also terminates certain Windows processes. WORM_AGOBOT.AZ runs on Windows 2000 and XP.

Upon execution, this worm drops a copy of itself in the Windows system folder as WINCOMM.EXE. To enable its automatic execution at every system startup, it creates two registry entries.

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows NT-based systems, which allows a remote user to gain full access and execute any code on a target machine, leaving it compromised. It looks for vulnerable machines on the network by scanning for random TCP/IP addresses on port 135. It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445. This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

The worm also searches remote machines on the same network for the following shares and attempts to drop a copy of itself into these shares:

admin$
c$
d$
e$
print$

It logs on using a long list of user names and passwords. Machines with weak passwords may be vulnerable to this attack.

This worm also functions as a backdoor program and allows a malicious user to access the machine via IRC (Internet Relay Chat). It serves as a bot, waiting for the following commands from the remote user to process locally:

quit - quit the bot
longuptime - if uptime is greater 2 days then the bot responds
sysinfo - displays the system information
Status - gives the status of the bot
Rndnick - makes the bot generate a new random nick
Removeallbut - removes the bot if the specified ID does not match
Remove - removes the bot
Nick - changes the bot nick
ID - displays the ID of the current bot
Execute - makes the bot execute a program from the host
Dns - resolves IP/hostname by DNS
Die - terminates the bot
Login - log the user with password verification to the bot
Cdkey - makes the bot get a list of cd keys
List - lists all available commands
Redir_maxthreads - redirect maximum number of threads
Ddos_maxthreads - DDOS maximum number of threads
Scan_maxthreads - scanner maximum number of threads
As_enabled - autostart enabled
As_valname - autostart value name (default: Windows Communicator)
Bot_timeout - timeout for receiving in miliseconds (default: 720000)
Bot_id - current bot running ID (default: sB-vR-D)
Bot_filename - bot filename (default: wincomm.exe)
Bot_version - bot program version (default: 0.4.7-pre1 Alpha)

This worm can process a command that lists a set of registration keys from gaming software. It searches for registration keys for the following games:

Battlefield 1942
Battlefield 1942 Secret Weapons of WWII
Battlefield 1942 The Road to Rome
Command & Conquer Generals
Counter-Strike
Half-Life
Need For Speed Hot Pursuit 2
Neverwinter
Project IGI 2
Red Alert
Red Alert 2
Soldier of Fortune II - Double Helix
Tiberian Sun
UT2003

It prints the stolen keys to the remote user's system.

This worm checks memory for the following programs in five-second intervals and terminates them when found:

FPORT.EXE
JDBGMRG.EXE
LSAS.EXE
MSBLAST.EXE
MSCONFIG.EXE
NETSTAT.EXE
PRCVIEW.EXE
PROCDUMP.EXE
RAVMOND.EXE
REGEDIT.EXE
SCVHOSL.EXE
SCVHOST.EXE
SHELL32.EXE
SYSTREY.EXE
TASKMGR.EXE
TEEKIDS.EXE
WINDOWS.EXE
WINGATE.EXE
WINHELP.EXE
WINRPC.EXE

It also checks memory for the existence of the following programs in an infinite loop and tries to terminate them:

DLLHOST.EXE
MSBLAST.EXE
MSPATCH.EXE
PENIS32.EXE
SCVHOSL.EXE
SCVHOST.EXE
TFTPD.EXE
WINPPR32.EXE

If you would like to scan your computer for WORM_AGOBOT.AZ or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_AGOBOT.AZ is detected and cleaned by Trend Micro pattern file #691 and above.