W32/AgoBot.fam!worm
Analysis
- Creates a mutex named bgf to make sure that only one instance is running.
- Exits if it is being executed under a debugger such as SoftICE.
- Copies itself to the System folder as srscast32.exe, then executes that copy.
Autostart Mechanism
- Creates the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Bcvsrv = "srscast32.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Bcvsrv = "srscast32.exe"
Network Propagation
- Exploits the following vulnerabilities:
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability
- Windows Workstation Service Remote Buffer Overflow
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability
Backdoor and/or Trojan Behavior
- Attempts to terminate certain processes, some of which may be security related, such as:
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com - Connects to an Internet Relay Chat (IRC) server and listens for commands that allow the remote attacker to perform any of the following actions:
- Run commands
- Retrieve files via FTP and HTTP
- Restart the computer
- Perform DoS attack
- Kill a particular process
- Get user information
- Add/delete user/service
- Scan the LAN
- Steal CD-Keys
- Act as a Keylogger
- Delete network shares
- Open a shell
- Steal infomation from PAYPAL.COM
- Sends HTTP POST messages containing large amounts of data to the following hosts:
- yahoo.co.jp
- www.nifty.com
- www.d1asia.com
- www.st.lib.keio.ac.jp
- www.lib.nthu.edu.tw
- www.above.net
- www.level3.com
- nitro.ucsc.edu
- www.burst.net
- www.cogentco.com
- www.rit.edu
- www.nocster.com
- www.verio.com
- www.stanford.edu
- www.xo.net
- de.yahoo.com
- www.belwue.de
- www.switch.ch
- www.1und1.de
- verio.fr
- www.utwente.nl
- www.schlund.net
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patches:
- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
- Windows Workstation Service Remote Buffer Overflow: http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
- Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |