WORM_AGOBOT.AZ

Discussion in 'malware problems & news' started by Randy_Bell, Dec 5, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_AGOBOT.AZ is currently spreading in-the-wild. This non-destructive memory-resident worm exploits certain vulnerabilities to propagate across networks. Like earlier AGOBOT variants, this variant takes advantage of three Windows vulnerabilities, and also uses a long list of passwords to access and propagate into remote machines with weak passwords. This worm functions as a backdoor program and allows malicious users to access infected machines via IRC (Internet Relay Chat). It serves as a bot, waiting for commands from remote users. It also terminates certain Windows processes. WORM_AGOBOT.AZ runs on Windows 2000 and XP.

    Upon execution, this worm drops a copy of itself in the Windows system folder as WINCOMM.EXE. To enable its automatic execution at every system startup, it creates two registry entries.

    This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows NT-based systems, which allows a remote user to gain full access and execute any code on a target machine, leaving it compromised. It looks for vulnerable machines on the network by scanning for random TCP/IP addresses on port 135. It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445. This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

    The worm also searches remote machines on the same network for the following shares and attempts to drop a copy of itself into these shares:

    admin$
    c$
    d$
    e$
    print$

    It logs on using a long list of user names and passwords. Machines with weak passwords may be vulnerable to this attack.

    This worm also functions as a backdoor program and allows a malicious user to access the machine via IRC (Internet Relay Chat). It serves as a bot, waiting for the following commands from the remote user to process locally:

    quit - quit the bot
    longuptime - if uptime is greater 2 days then the bot responds
    sysinfo - displays the system information
    Status - gives the status of the bot
    Rndnick - makes the bot generate a new random nick
    Removeallbut - removes the bot if the specified ID does not match
    Remove - removes the bot
    Nick - changes the bot nick
    ID - displays the ID of the current bot
    Execute - makes the bot execute a program from the host
    Dns - resolves IP/hostname by DNS
    Die - terminates the bot
    Login - log the user with password verification to the bot
    Cdkey - makes the bot get a list of cd keys
    List - lists all available commands
    Redir_maxthreads - redirect maximum number of threads
    Ddos_maxthreads - DDOS maximum number of threads
    Scan_maxthreads - scanner maximum number of threads
    As_enabled - autostart enabled
    As_valname - autostart value name (default: Windows Communicator)
    Bot_timeout - timeout for receiving in miliseconds (default: 720000)
    Bot_id - current bot running ID (default: sB-vR-D)
    Bot_filename - bot filename (default: wincomm.exe)
    Bot_version - bot program version (default: 0.4.7-pre1 Alpha)

    This worm can process a command that lists a set of registration keys from gaming software. It searches for registration keys for the following games:

    Battlefield 1942
    Battlefield 1942 Secret Weapons of WWII
    Battlefield 1942 The Road to Rome
    Command & Conquer Generals
    Counter-Strike
    Half-Life
    Need For Speed Hot Pursuit 2
    Neverwinter
    Project IGI 2
    Red Alert
    Red Alert 2
    Soldier of Fortune II - Double Helix
    Tiberian Sun
    UT2003

    It prints the stolen keys to the remote user's system.

    This worm checks memory for the following programs in five-second intervals and terminates them when found:

    FPORT.EXE
    JDBGMRG.EXE
    LSAS.EXE
    MSBLAST.EXE
    MSCONFIG.EXE
    NETSTAT.EXE
    PRCVIEW.EXE
    PROCDUMP.EXE
    RAVMOND.EXE
    REGEDIT.EXE
    SCVHOSL.EXE
    SCVHOST.EXE
    SHELL32.EXE
    SYSTREY.EXE
    TASKMGR.EXE
    TEEKIDS.EXE
    WINDOWS.EXE
    WINGATE.EXE
    WINHELP.EXE
    WINRPC.EXE

    It also checks memory for the existence of the following programs in an infinite loop and tries to terminate them:

    DLLHOST.EXE
    MSBLAST.EXE
    MSPATCH.EXE
    PENIS32.EXE
    SCVHOSL.EXE
    SCVHOST.EXE
    TFTPD.EXE
    WINPPR32.EXE

    If you would like to scan your computer for WORM_AGOBOT.AZ or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_AGOBOT.AZ is detected and cleaned by Trend Micro pattern file #691 and above.
     
Thread Status:
Not open for further replies.