W32/Agobot.AAZ!tr

Alias/esBackdoor.Agobot.3.JV, Backdoor.Win32.Agobot.gen, W32.HLLW.Gaobot.gen, W32/Agobot-Fam, W32/Agobot.AAZ-tr, W32/Agobot.ATN, W32/Gaobot.BKX.worm, W32/Gaobot.worm.gen.g, Win32/Agobot.NLM, Worm.Gaobot.142, WORM_AGOBOT.GEN
Release DateFeb 11, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.586
CVE2003-0003
Description

Visible Symptoms

  • The file bomsvc32.exe  exists in the System folder.
  • Possible termination of the firewall or other security applications, including antivirus monitors.
  • Inability to connect with certain security related websites.

Detailed Analysis

  • Sample is packed in ExeStealth.

  • Copies itself to the System folder as bomsvc32.exe.


    Autostart Mechanism

  • Creates the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
      Bomsvc32 = "bomsvc32.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      Bomsvc32 = "bomsvc32.exe"

    Network Propagation

  • Propagates by exploiting the following vulnerabilities:



    Backdoor and/or Trojan Behavior

  • Connects to an Internet Relay Chat (IRC) server and listens for commands that allow the remote attacker to perform a number of malicious actions, such as the following:

    • Send a raw message to the IRC server
    • Send a private message
    • Change the server to connect to
    • Change the channel to connect to
    • Send information such as CD keys, passwords, system and network information to the remote user
    • Send a file
    • Enable and delete shares
    • Execute files
    • Terminate known security-related processes
    • List, start and terminate services
    • Add and delete autostart registry values
    • Log keystrokes
    • List and terminate running processes

  • Attempts to terminate the following security-related processes:

    • F-AGOBOT.EXE
    • HIJACKTHIS.EXE
    • _AVPM.EXE
    • _AVPCC.EXE
    • _AVP32.EXE
    • ZONEALARM.EXE
    • ZONALM2601.EXE
    • ZATUTOR.EXE
    • ZAPSETUP3001.EXE
    • ZAPRO.EXE
    • XPF202EN.EXE
    • WYVERNWORKSFIREWALL.EXE
    • WUPDT.EXE
    • WUPDATER.EXE
    • WSBGATE.EXE
    • WRCTRL.EXE
    • WRADMIN.EXE
    • WNT.EXE
    • WNAD.EXE
    • WKUFIND.EXE
    • WINUPDATE.EXE
    • WINTSK32.EXE
    • WINSTART001.EXE
    • WINSTART.EXE
    • WINSSK32.EXE
    • WINSERVN.EXE
    • WINRECON.EXE
    • WINPPR32.EXE
    • WINNET.EXE
    • WINMAIN.EXE
    • WINLOGIN.EXE
    • WININITX.EXE
    • WININIT.EXE
    • WININETD.EXE
    • WINDOWS.EXE
    • WINDOW.EXE
    • WINACTIVE.EXE
    • WIN32US.EXE
    • WIN32.EXE
    • WIN-BUGSFIX.EXE
    • WIMMUN32.EXE
    • WHOSWATCHINGME.EXE
    • WGFE95.EXE
    • WFINDV32.EXE
    • WEBTRAP.EXE
    • WEBSCANX.EXE
    • WEBDAV.EXE
    • WATCHDOG.EXE
    • W9X.EXE
    • W32DSM89.EXE
    • VSWINPERSE.EXE
    • VSWINNTSE.EXE
    • VSWIN9XE.EXE
    • VSSTAT.EXE
    • VSMON.EXE
    • VSMAIN.EXE
    • VSISETUP.EXE
    • VSHWIN32.EXE
    • VSECOMR.EXE
    • VSCHED.EXE
    • VSCENU6.02D30.EXE
    • VSCAN40.EXE
    • VPTRAY.EXE
    • VPFW30S.EXE
    • VPC42.EXE
    • VPC32.EXE
    • VNPC3000.EXE
    • VNLAN300.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VIR-HELP.EXE
    • VFSETUP.EXE
    • VETTRAY.EXE
    • VET95.EXE
    • VET32.EXE
    • VCSETUP.EXE
    • VBWINNTW.EXE
    • VBWIN9X.EXE
    • VBUST.EXE
    • VBCONS.EXE
    • VBCMSERV.EXE
    • UTPOST.EXE
    • UPGRAD.EXE
    • UPDAT.EXE
    • UNDOBOOT.EXE
    • TVTMD.EXE
    • TVMD.EXE
    • TSADBOT.EXE
    • TROJANTRAP3.EXE
    • TRJSETUP.EXE
    • TRJSCAN.EXE
    • TRICKLER.EXE
    • TRACERT.EXE
    • TITANINXP.EXE
    • TITANIN.EXE
    • TGBOB.EXE
    • TFAK5.EXE
    • TFAK.EXE
    • TEEKIDS.EXE
    • TDS2-NT.EXE
    • TDS2-98.EXE
    • TDS-3.EXE
    • TCM.EXE
    • TCA.EXE
    • TC.EXE
    • TBSCAN.EXE
    • TAUMON.EXE
    • TASKMON.EXE
    • TASKMO.EXE
    • TASKMG.EXE
    • SYSUPD.EXE
    • SYSTEM32.EXE
    • SYSTEM.EXE
    • SYSEDIT.EXE
    • SYMTRAY.EXE
    • SYMPROXYSVC.EXE
    • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
    • SWEEP95.EXE
    • SVSHOST.EXE
    • SVCHOSTS.EXE
    • SVCHOSTC.EXE
    • SVC.EXE
    • SUPPORTER5.EXE
    • SUPPORT.EXE
    • SUPFTRL.EXE
    • STCLOADER.EXE
    • START.EXE
    • ST2.EXE
    • SSG_4104.EXE
    • SSGRATE.EXE
    • SS3EDIT.EXE
    • SRNG.EXE
    • SREXE.EXE
    • SPYXX.EXE
    • SPOOLSV32.EXE
    • SPOOLCV.EXE
    • SPOLER.EXE
    • SPHINX.EXE
    • SPF.EXE
    • SPERM.EXE
    • SOFI.EXE
    • SOAP.EXE
    • SMSS32.EXE
    • SMS.EXE
    • SMC.EXE
    • SHOWBEHIND.EXE
    • SHN.EXE
    • UPDATE.EXE
    • SHELLSPYINSTALL.EXE
    • SH.EXE
    • SGSSFW32.EXE
    • SFC.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SERVLCES.EXE
    • SERVLCE.EXE
    • SERVICE.EXE
    • SERV95.EXE
    • SD.EXE
    • SCVHOST.EXE
    • SCRSVR.EXE
    • SCRSCAN.EXE
    • SCANPM.EXE
    • SCAN95.EXE
    • SCAN32.EXE
    • SCAM32.EXE
    • SC.EXE
    • SBSERV.EXE
    • SAVENOW.EXE
    • SAVE.EXE
    • SAHAGENT.EXE
    • SAFEWEB.EXE
    • RUXDLL32.EXE
    • RUNDLL16.EXE
    • RUNDLL.EXE
    • RUN32DLL.EXE
    • RULAUNCH.EXE
    • RTVSCN95.EXE
    • RTVSCAN.EXE
    • RSHELL.EXE
    • RRGUARD.EXE
    • RESCUE32.EXE
    • RESCUE.EXE
    • REGEDT32.EXE
    • REGEDIT.EXE
    • REGED.EXE
    • REALMON.EXE
    • RCSYNC.EXE
    • RB32.EXE
    • RAY.EXE
    • RAV8WIN32ENG.EXE
    • RAV7WIN.EXE
    • RAV7.EXE
    • RAPAPP.EXE
    • QSERVER.EXE
    • QCONSOLE.EXE
    • PVIEW95.EXE
    • PUSSY.EXE
    • PURGE.EXE
    • PSPF.EXE
    • PROTECTX.EXE
    • PROPORT.EXE
    • PROGRAMAUDITOR.EXE
    • PROCEXPLORERV1.0.EXE
    • PROCESSMONITOR.EXE
    • PROCDUMP.EXE
    • PRMVR.EXE
    • PRMT.EXE
    • PRIZESURFER.EXE
    • PPVSTOP.EXE
    • PPTBC.EXE
    • PPINUPDT.EXE
    • POWERSCAN.EXE
    • PORTMONITOR.EXE
    • PORTDETECTIVE.EXE
    • POPSCAN.EXE
    • POPROXY.EXE
    • POP3TRAP.EXE
    • PLATIN.EXE
    • PINGSCAN.EXE
    • PGMONITR.EXE
    • PFWADMIN.EXE
    • PF2.EXE
    • PERSWF.EXE
    • PERSFW.EXE
    • PERISCOPE.EXE
    • PENIS.EXE
    • PDSETUP.EXE
    • PCSCAN.EXE
    • PCIP10117_0.EXE
    • PCFWALLICON.EXE
    • PCDSETUP.EXE
    • PCCWIN98.EXE
    • PCCWIN97.EXE
    • PCCNTMON.EXE
    • PCCIOMON.EXE
    • PCC2K_76_1436.EXE
    • PCC2002S902.EXE
    • PAVW.EXE
    • PAVSCHED.EXE
    • PAVPROXY.EXE
    • PAVCL.EXE
    • PATCH.EXE
    • PANIXK.EXE
    • PADMIN.EXE
    • OUTPOSTPROINSTALL.EXE
    • OUTPOSTINSTALL.EXE
    • OTFIX.EXE
    • OSTRONET.EXE
    • OPTIMIZE.EXE
    • ONSRVR.EXE
    • OLLYDBG.EXE
    • NWTOOL16.EXE
    • NWSERVICE.EXE
    • NWINST4.EXE
    • NVSVC32.EXE
    • NVC95.EXE
    • NVARCH16.EXE
    • NUI.EXE
    • NTXconfig.EXE
    • NTVDM.EXE
    • NTRTSCAN.EXE
    • NT.EXE
    • NSUPDATE.EXE
    • NSTASK32.EXE
    • NSSYS32.EXE
    • NSCHED32.EXE
    • NPSSVC.EXE
    • NPSCHECK.EXE
    • NPROTECT.EXE
    • NPFMESSENGER.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NOTSTART.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NORMIST.EXE
    • NOD32.EXE
    • NMAIN.EXE
    • NISUM.EXE
    • NISSERV.EXE
    • NETUTILS.EXE
    • NETSTAT.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSCANPRO.EXE
    • NETMON.EXE
    • NETINFO.EXE
    • NETD32.EXE
    • NETARMOR.EXE
    • NEOWATCHLOG.EXE
    • NEOMONITOR.EXE
    • NDD32.EXE
    • NCINST4.EXE
    • NC2000.EXE
    • NAVWNT.EXE
    • NAVW32.EXE
    • NAVSTUB.EXE
    • NAVNT.EXE
    • NAVLU32.EXE
    • NAVENGNAVEX15.NAVLU32.EXE
    • NAVDX.EXE
    • NAVAPW32.EXE
    • NAVAPSVC.EXE
    • NAVAP.NAVAPSVC.EXE
    • AUTO-PROTECT.NAV80TRY.EXE
    • NAV.EXE
    • OUTPOST.EXE
    • NUPGRADE.EXE
    • N32SCANW.EXE
    • MWATCH.EXE
    • MU0311AD.EXE
    • MSVXD.EXE
    • MSSYS.EXE
    • MSSMMC32.EXE
    • MSMSGRI32.EXE
    • MSMGT.EXE
    • MSLAUGH.EXE
    • MSINFO32.EXE
    • MSIEXEC16.EXE
    • MSDOS.EXE
    • MSDM.EXE
    • MSCONFIG.EXE
    • MSCMAN.EXE
    • MSCCN32.EXE
    • MSCACHE.EXE
    • MSBLAST.EXE
    • MSBB.EXE
    • MSAPP.EXE
    • MRFLUX.EXE
    • MPFTRAY.EXE
    • MPFSERVICE.EXE
    • MPFAGENT.EXE
    • MOSTAT.EXE
    • MOOLIVE.EXE
    • MONITOR.EXE
    • MMOD.EXE
    • MINILOG.EXE
    • MGUI.EXE
    • MGHTML.EXE
    • MGAVRTE.EXE
    • MGAVRTCL.EXE
    • MFWENG3.02D30.EXE
    • MFW2EN.EXE
    • MFIN32.EXE
    • MD.EXE
    • MCVSSHLD.EXE
    • MCVSRTE.EXE
    • MCTOOL.EXE
    • MCSHIELD.EXE
    • MCMNHDLR.EXE
    • MCAGENT.EXE
    • MAPISVC32.EXE
    • LUSPT.EXE
    • LUINIT.EXE
    • LUCOMSERVER.EXE
    • LUAU.EXE
    • LSETUP.EXE
    • LORDPE.EXE
    • LOOKOUT.EXE
    • LOCKDOWN2000.EXE
    • LOCKDOWN.EXE
    • LOCALNET.EXE
    • LOADER.EXE
    • LNETINFO.EXE
    • LDSCAN.EXE
    • LDPROMENU.EXE
    • LDPRO.EXE
    • LDNETMON.EXE
    • LAUNCHER.EXE
    • KILLPROCESSSETUP161.EXE
    • KERNEL32.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KEENVALUE.EXE
    • KAZZA.EXE
    • KAVPF.EXE
    • KAVPERS40ENG.EXE
    • KAVLITE40ENG.EXE
    • JEDI.EXE
    • JDBGMRG.EXE
    • JAMMER.EXE
    • ISTSVC.EXE
    • MCUPDATE.EXE
    • LUALL.EXE
    • ISRV95.EXE
    • ISASS.EXE
    • IRIS.EXE
    • IPARMOR.EXE
    • IOMON98.EXE
    • INTREN.EXE
    • INTDEL.EXE
    • INIT.EXE
    • INFWIN.EXE
    • INFUS.EXE
    • INETLNFO.EXE
    • IFW2000.EXE
    • IFACE.EXE
    • IEXPLORER.EXE
    • IEDRIVER.EXE
    • IEDLL.EXE
    • IDLE.EXE
    • ICSUPPNT.EXE
    • ICMON.EXE
    • ICLOADNT.EXE
    • ICLOAD95.EXE
    • IBMAVSP.EXE
    • IBMASN.EXE
    • IAMSTATS.EXE
    • IAMSERV.EXE
    • IAMAPP.EXE
    • HXIUL.EXE
    • HXDL.EXE
    • HWPE.EXE
    • HTPATCH.EXE
    • HTLOG.EXE
    • HOTPATCH.EXE
    • HOTACTIO.EXE
    • HBSRV.EXE
    • HBINST.EXE
    • HACKTRACERSETUP.EXE
    • GUARDDOG.EXE
    • GUARD.EXE
    • GMT.EXE
    • GENERICS.EXE
    • GBPOLL.EXE
    • GBMENU.EXE
    • GATOR.EXE
    • FSMB32.EXE
    • FSMA32.EXE
    • FSM32.EXE
    • FSGK32.EXE
    • FSAV95.EXE
    • FSAV530WTBYB.EXE
    • FSAV530STBYB.EXE
    • FSAV32.EXE
    • FSAV.EXE
    • FSAA.EXE
    • FRW.EXE
    • FPROT.EXE
    • FP-WIN_TRIAL.EXE
    • FP-WIN.EXE
    • FNRB32.EXE
    • FLOWPROTECTOR.EXE
    • FIREWALL.EXE
    • FINDVIRU.EXE
    • FIH32.EXE
    • FCH32.EXE
    • FAST.EXE
    • FAMEH32.EXE
    • F-STOPW.EXE
    • F-PROT95.EXE
    • F-PROT.EXE
    • F-AGNT95.EXE
    • EXPLORE.EXE
    • EXPERT.EXE
    • EXE.AVXW.EXE
    • EXANTIVIRUS-CNET.EXE
    • EVPN.EXE
    • ETRUSTCIPE.EXE
    • ETHEREAL.EXE
    • ESPWATCH.EXE
    • ESCANV95.EXE
    • ICSUPP95.EXE
    • ESCANHNT.EXE
    • ESCANH95.EXE
    • ESAFE.EXE
    • ENT.EXE
    • EMSW.EXE
    • EFPEADM.EXE
    • ECENGINE.EXE
    • DVP95_0.EXE
    • DVP95.EXE
    • DSSAGENT.EXE
    • DRWEBUPW.EXE
    • DRWEB32.EXE
    • DRWATSON.EXE
    • DPPS2.EXE
    • DPFSETUP.EXE
    • DPF.EXE
    • DOORS.EXE
    • DLLREG.EXE
    • DLLCACHE.EXE
    • DIVX.EXE
    • DEPUTY.EXE
    • DEFWATCH.EXE
    • DEFSCANGUI.EXE
    • DEFALERT.EXE
    • DCOMX.EXE
    • DATEMANAGER.EXE
    • Claw95.EXE
    • CWNTDWMO.EXE
    • CWNB181.EXE
    • CV.EXE
    • CTRL.EXE
    • CPFNT206.EXE
    • CPF9X206.EXE
    • CPD.EXE
    • CONNECTIONMONITOR.EXE
    • CMON016.EXE
    • CMGRDIAN.EXE
    • CMESYS.EXE
    • CMD32.EXE
    • CLICK.EXE
    • CLEANPC.EXE
    • CLEANER3.EXE
    • CLEANER.EXE
    • CLEAN.EXE
    • CFINET32.EXE
    • CFINET.EXE
    • CFIADMIN.EXE
    • CFGWIZ.EXE
    • CFD.EXE
    • CDP.EXE
    • CCPXYSVC.EXE
    • CCEVTMGR.EXE
    • CCAPP.EXE
    • BVT.EXE
    • BUNDLE.EXE
    • BS120.EXE
    • BRASIL.EXE
    • BPC.EXE
    • BORG2.EXE
    • BOOTWARN.EXE
    • BOOTCONF.EXE
    • BLSS.EXE
    • BLACKICE.EXE
    • BLACKD.EXE
    • BISP.EXE
    • BIPCPEVALSETUP.EXE
    • BIPCP.EXE
    • BIDSERVER.EXE
    • BIDEF.EXE
    • BELT.EXE
    • BEAGLE.EXE
    • BD_PROFESSIONAL.EXE
    • BARGAINS.EXE
    • BACKWEB.EXE
    • CLAW95CF.EXE
    • CFIAUDIT.EXE
    • AVXMONITORNT.EXE
    • AVXMONITOR9X.EXE
    • AVWUPSRV.EXE
    • AVWUPD.EXE
    • AVWINNT.EXE
    • AVWIN95.EXE
    • AVSYNMGR.EXE
    • AVSCHED32.EXE
    • AVPTC32.EXE
    • AVPM.EXE
    • AVPDOS32.EXE
    • AVPCC.EXE
    • AVP32.EXE
    • AVP.EXE
    • AVNT.EXE
    • AVLTMAIN.EXE
    • AVKWCTl9.EXE
    • AVKSERVICE.EXE
    • AVKSERV.EXE
    • AVKPOP.EXE
    • AVGW.EXE
    • AVGUARD.EXE
    • AVGSERV9.EXE
    • AVGSERV.EXE
    • AVGNT.EXE
    • AVGCTRL.EXE
    • AVGCC32.EXE
    • AVE32.EXE
    • AVCONSOL.EXE
    • AU.EXE
    • ATWATCH.EXE
    • ATRO55EN.EXE
    • ATGUARD.EXE
    • ATCON.EXE
    • ARR.EXE
    • APVXDWIN.EXE
    • APLICA32.EXE
    • APIMONITOR.EXE
    • ANTS.EXE
    • ANTIVIRUS.EXE
    • ANTI-TROJAN.EXE
    • AMON9X.EXE
    • ALOGSERV.EXE
    • ALEVIR.EXE
    • ALERTSVC.EXE
    • AGENTW.EXE
    • AGENTSVR.EXE
    • ADVXDWIN.EXE
    • ADAWARE.EXE
    • AVXQUAR.EXE
    • ACKWIN32.EXE
    • AVWUPD32.EXE
    • AVPUPD.EXE
    • AUTOUPDATE.EXE
    • AUTOTRACE.EXE
    • AUTODOWN.EXE
    • AUPDATE.EXE
    • ATUPDATER.EXE
    • ATUPDATER.EXE

  • Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
    127.0.0.1 www.trendmicro.com
    127.0.0.1 trendmicro.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 customer.symantec.com
    127.0.0.1 liveupdate.symantec.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 updates.symantec.com
    127.0.0.1 update.symantec.com
    127.0.0.1 www.nai.com
    127.0.0.1 nai.com
    127.0.0.1 secure.nai.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 my-etrust.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 ca.com
    127.0.0.1 www.ca.com
    127.0.0.1 networkassociates.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 avp.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 www.avp.com
    127.0.0.1 kaspersky.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 f-secure.com
    127.0.0.1 viruslist.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 mcafee.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 sophos.com
    127.0.0.1 www.sophos.com
    127.0.0.1 symantec.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 www.symantec.com
  • Steals the Windows Product ID and CD keys of popular games, such as the following:

    • Unreal Tournament 2004
    • Unreal Tournament 2003
    • The Gladiators
    • Soldier of Fortune II - Double Helix
    • Soldiers of Anarchy
    • Shogun Total War - Warlord Edition
    • Ravenshield
    • Neverwinter Nights
    • Need For Speed: Underground
    • Need For Speed: Hot Pursuit 2
    • NHL 2003
    • NHL 2002
    • Nascar Racing 2003
    • Nascar Racing 2002
    • Medal of Honor: Allied Assault: Spearhead
    • Medal of Honor: Allied Assault: Breakthrough
    • Medal of Honor: Allied Assault:
    • James Bond 007: Nightfire
    • Industry Giant 2
    • IGI2: Covert Strike
    • Hidden and Dangerous 2
    • Half-Life
    • Gunman Chronicles
    • Global Operations
    • Freedom Force
    • FIFA 2003
    • FIFA 2002
    • Counter-Strike
    • Command and Conquer: Tiberian Sun
    • Command and Conquer: Red Alert2
    • Command and Conquer: Generals: Zero Hour
    • Command and Conquer: Generals
    • Black and White
    • Battlefield 1942: Vietnam
    • Battlefield 1942: The Road To Rome
    • Battlefield 1942: Secret Weapons Of WWII
    • Battlefield 1942
    • Call Of Duty
Description Last Updated Date: Sep 21, 2006
Reference: ID - 11081