WORM_AGOBOT.AZ is currently spreading in-the-wild. This non-destructive memory-resident worm exploits certain vulnerabilities to propagate across networks. Like earlier AGOBOT variants, this variant takes advantage of three Windows vulnerabilities, and also uses a long list of passwords to access and propagate into remote machines with weak passwords. This worm functions as a backdoor program and allows malicious users to access infected machines via IRC (Internet Relay Chat). It serves as a bot, waiting for commands from remote users. It also terminates certain Windows processes. WORM_AGOBOT.AZ runs on Windows 2000 and XP. Upon execution, this worm drops a copy of itself in the Windows system folder as WINCOMM.EXE. To enable its automatic execution at every system startup, it creates two registry entries. This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows NT-based systems, which allows a remote user to gain full access and execute any code on a target machine, leaving it compromised. It looks for vulnerable machines on the network by scanning for random TCP/IP addresses on port 135. It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445. This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server. The worm also searches remote machines on the same network for the following shares and attempts to drop a copy of itself into these shares: admin$ c$ d$ e$ print$ It logs on using a long list of user names and passwords. Machines with weak passwords may be vulnerable to this attack. This worm also functions as a backdoor program and allows a malicious user to access the machine via IRC (Internet Relay Chat). It serves as a bot, waiting for the following commands from the remote user to process locally: quit - quit the bot longuptime - if uptime is greater 2 days then the bot responds sysinfo - displays the system information Status - gives the status of the bot Rndnick - makes the bot generate a new random nick Removeallbut - removes the bot if the specified ID does not match Remove - removes the bot Nick - changes the bot nick ID - displays the ID of the current bot Execute - makes the bot execute a program from the host Dns - resolves IP/hostname by DNS Die - terminates the bot Login - log the user with password verification to the bot Cdkey - makes the bot get a list of cd keys List - lists all available commands Redir_maxthreads - redirect maximum number of threads Ddos_maxthreads - DDOS maximum number of threads Scan_maxthreads - scanner maximum number of threads As_enabled - autostart enabled As_valname - autostart value name (default: Windows Communicator) Bot_timeout - timeout for receiving in miliseconds (default: 720000) Bot_id - current bot running ID (default: sB-vR-D) Bot_filename - bot filename (default: wincomm.exe) Bot_version - bot program version (default: 0.4.7-pre1 Alpha) This worm can process a command that lists a set of registration keys from gaming software. It searches for registration keys for the following games: Battlefield 1942 Battlefield 1942 Secret Weapons of WWII Battlefield 1942 The Road to Rome Command & Conquer Generals Counter-Strike Half-Life Need For Speed Hot Pursuit 2 Neverwinter Project IGI 2 Red Alert Red Alert 2 Soldier of Fortune II - Double Helix Tiberian Sun UT2003 It prints the stolen keys to the remote user's system. This worm checks memory for the following programs in five-second intervals and terminates them when found: FPORT.EXE JDBGMRG.EXE LSAS.EXE MSBLAST.EXE MSCONFIG.EXE NETSTAT.EXE PRCVIEW.EXE PROCDUMP.EXE RAVMOND.EXE REGEDIT.EXE SCVHOSL.EXE SCVHOST.EXE SHELL32.EXE SYSTREY.EXE TASKMGR.EXE TEEKIDS.EXE WINDOWS.EXE WINGATE.EXE WINHELP.EXE WINRPC.EXE It also checks memory for the existence of the following programs in an infinite loop and tries to terminate them: DLLHOST.EXE MSBLAST.EXE MSPATCH.EXE PENIS32.EXE SCVHOSL.EXE SCVHOST.EXE TFTPD.EXE WINPPR32.EXE If you would like to scan your computer for WORM_AGOBOT.AZ or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_AGOBOT.AZ is detected and cleaned by Trend Micro pattern file #691 and above.