This application requires Javascript for optimal performance.

W32/Agobot.OY!worm - Released Dec 01, 2004 - Last Updated Mar 13, 2007

Alias/es Backdoor.Win32.SdBot.gen [KAV], W32/Agobot.OY!worm, W32/Sdbot.worm.gen.k [McAfee]
Visible Symptoms Infected systems respond to slowly to user interaction Creation of the file "et3rd.exe" into System32 folder Possible firewall alert that the file "et3rd.exe" is attempting to access the Internet using TCP ports 113 [IDENT service] and 6667 [IRC chat client]
Detailed Analysis This virus is 32-bit with a packed file size of 49,238 bytes. The virus contains code to connect with an IRC server and await commands and instructions from a malicious user. IRC Connections If the virus is run, it will check DNS for IP address of 'uld3r.q8hell.org'. This currently resolves to this IP - 69.64.34.124 Once connected (using TCP port 6667), the virus awaits instructions from malicious users. This is a partial list of instructions - Ping redirect download clone syn update Loading at Windows Startup When this virus is run on a target, it registers itself to run automatically at each Windows startup - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "dfe CTRLx Shift" = et3rd.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ "dfe CTRLx Shift" = et3rd.exe Miscellaneous This virus contains this string which is never displayed - sdbot 0.5b with SYN flood by [sd]
Recommended Action Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Reference: ID - 6967

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved