W32/AgoBot!worm
Analysis
- Copies itself to the System folder as the following:
- msiwin84.exe
- Microsoft.exe
- WinMsrv32.exe
- soundcontrl.exe
- msawindows.exe
Autostart Mechanism
- Adds one of these values:
Microsoft Update = "msiwin84.exe"
to the following registry subkeys:
Microsoft Update = "Microsoft.exe"
WinMsrv32 = "WinMsrv32.exe"
soundcontrl = "soundcontrl.exe"
Microsoft Update = "msawindows.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Network Propagation
- Attempts to propagate to other systems by sending itself through the backdoor ports that are opened by the Bagle and Mydoom family of worms.
- Exploits the following vulnerabilities:
- Microsoft Remote Procedure Call (RPC) Distrubuted Component Object Model (DCOM) Vulnerability
- Windows Workstation Service Remote Buffer Overflow
- Microsoft Windows Local Security Authority Subsystem Service (LSASS) Vulnerability
Backdoor and/or Trojan Behavior
- Attempts to terminate certain processes, some of which may be security related, such as:
- irun4.exe
- Ssate.exe
- i11r54n4.exe
- winsys.exessgrate.exe
- d3dupdate.exe
- bbeagle.exerate.exe
- _AVP32.EXE
- _AVPCC.EXE
- _AVPM.EXE
- ACKWIN32.EXE
- ADAWARE.EXE
- ADVXDWIN.EXE
- AGENTSVR.EXE
- AGENTW.EXE
- ALERTSVC.EXE
- ALEVIR.EXE
- ALOGSERV.EXE
- AMON9X.EXE
- ANTI-TROJAN.EXE
- ANTIVIRUS.EXE
- ANTS.EXE
- APIMONITOR.EXE
- APLICA32.EXE
- APVXDWIN.EXE
- ARR.EXE
- ATCON.EXE
- ATGUARD.EXE
- ATRO55EN.EXE
- ATUPDATER.EXE
- ATWATCH.EXE
- AU.EXE
- AUPDATE.EXE
- AUTO-PROTECT.NAV80TRY.EXE
- AUTODOWN.EXE
- AUTOTRACE.EXE
- AUTOUPDATE.EXE
- AVCONSOL.EXE
- AVE32.EXE
- AVGCC32.EXE
- AVGCTRL.EXE
- AVGNT.EXE
- AVGSERV.EXE
- AVGSERV9.EXE
- AVGUARD.EXE
- AVGW.EXE
- AVKPOP.EXE
- AVKSERV.EXE
- AVKSERVICE.EXE
- AVKWCTl9.EXE
- AVLTMAIN.EXE
- AVNT.EXE
- AVP.EXE
- AVP32.EXE
- AVPCC.EXE
- AVPDOS32.EXE
- AVPM.EXE
- AVPTC32.EXE
- AVPUPD.EXE
- AVSCHED32.EXE
- AVSYNMGR.EXE
- AVWIN95.EXE
- AVWINNT.EXE
- AVWUPD.EXE
- AVWUPD32.EXE
- AVWUPSRV.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT.EXE
- AVXQUAR.EXE
- BACKWEB.EXE
- BARGAINS.EXE
- BD_PROFESSIONAL.EXE
- BEAGLE.EXE
- BELT.EXE
- BIDEF.EXE
- BIDSERVER.EXE
- BIPCP.EXE
- BIPCPEVALSETUP.EXE
- BISP.EXE
- BLACKD.EXE
- BLACKICE.EXE
- BLSS.EXE
- BOOTCONF.EXE
- BOOTWARN.EXE
- BORG2.EXE
- BPC.EXE
- BRASIL.EXE
- BS120.EXE
- BUNDLE.EXE
- BVT.EXE
- CCAPP.EXE
- CCEVTMGR.EXE
- CCPXYSVC.EXE
- CDP.EXE
- CFD.EXE
- CFGWIZ.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- Claw95.EXE
- CLAW95CF.EXE
- CLEAN.EXE
- CLEANER.EXE
- CLEANER3.EXE
- CLEANPC.EXE
- CLICK.EXE
- CMD32.EXE
- CMESYS.EXE
- CMGRDIAN.EXE
- CMON016.EXE
- CONNECTIONMONITOR.EXE
- CPD.EXE
- CPF9X206.EXE
- CPFNT206.EXE
- CTRL.EXE
- CV.EXE
- CWNB181.EXE
- CWNTDWMO.EXE
- DATEMANAGER.EXE
- DCOMX.EXE
- DEFALERT.EXE
- DEFSCANGUI.EXE
- DEFWATCH.EXE
- DEPUTY.EXE
- DIVX.EXE
- DLLCACHE.EXE
- DLLREG.EXE
- DOORS.EXE
- DPF.EXE
- DPFSETUP.EXE
- DPPS2.EXE
- DRWATSON.EXE
- DRWEB32.EXE
- DRWEBUPW.EXE
- DSSAGENT.EXE
- DVP95.EXE
- DVP95_0.EXE
- ECENGINE.EXE
- EFPEADM.EXE
- EMSW.EXE
- ENT.EXE
- ESAFE.EXE
- ESCANH95.EXE
- ESCANHNT.EXE
- ESCANV95.EXE
- ESPWATCH.EXE
- ETHEREAL.EXE
- ETRUSTCIPE.EXE
- EVPN.EXE
- EXANTIVIRUS-CNET.EXE
- EXE.AVXW.EXE
- EXPERT.EXE
- EXPLORE.EXE
- F-AGNT95.EXE
- F-PROT.EXE
- F-PROT95.EXE
- F-STOPW.EXE
- FAMEH32.EXE
- FAST.EXE
- FCH32.EXE
- FIH32.EXE
- FINDVIRU.EXE
- FIREWALL.EXE
- FLOWPROTECTOR.EXE
- FNRB32.EXE
- FP-WIN.EXE
- FP-WIN_TRIAL.EXE
- FPROT.EXE
- FRW.EXE
- FSAA.EXE
- FSAV.EXE
- FSAV32.EXE
- FSAV530STBYB.EXE
- FSAV530WTBYB.EXE
- FSAV95.EXE
- FSGK32.EXE
- FSM32.EXE
- FSMA32.EXE
- FSMB32.EXE
- GATOR.EXE
- GBMENU.EXE
- GBPOLL.EXE
- GENERICS.EXE
- GMT.EXE
- GUARD.EXE
- GUARDDOG.EXE
- HACKTRACERSETUP.EXE
- HBINST.EXE
- HBSRV.EXE
- HOTACTIO.EXE
- HOTPATCH.EXE
- HTLOG.EXE
- HTPATCH.EXE
- HWPE.EXE
- HXDL.EXE
- HXIUL.EXE
- IAMAPP.EXE
- IAMSERV.EXE
- IAMSTATS.EXE
- IBMASN.EXE
- IBMAVSP.EXE
- ICLOAD95.EXE
- ICLOADNT.EXE
- ICMON.EXE
- ICSUPP95.EXE
- ICSUPPNT.EXE
- IDLE.EXE
- IEDLL.EXE
- IEDRIVER.EXE
- IEXPLORER.EXE
- IFACE.EXE
- IFW2000.EXE
- INETLNFO.EXE
- INFUS.EXE
- INFWIN.EXE
- INIT.EXE
- INTDEL.EXE
- INTREN.EXE
- IOMON98.EXE
- IPARMOR.EXE
- IRIS.EXE
- ISASS.EXE
- ISRV95.EXE
- ISTSVC.EXE
- JAMMER.EXE
- JDBGMRG.EXE
- JEDI.EXE
- KAVLITE40ENG.EXE
- KAVPERS40ENG.EXE
- KAVPF.EXE
- KAZZA.EXE
- KEENVALUE.EXE
- KERIO-PF-213-EN-WIN.EXE
- KERIO-WRL-421-EN-WIN.EXE
- KERIO-WRP-421-EN-WIN.EXE
- KERNEL32.EXE
- KILLPROCESSSETUP161.EXE
- LAUNCHER.EXE
- LDNETMON.EXE
- LDPRO.EXE
- LDPROMENU.EXE
- LDSCAN.EXE
- LNETINFO.EXE
- LOADER.EXE
- LOCALNET.EXE
- LOCKDOWN.EXE
- LOCKDOWN2000.EXE
- LOOKOUT.EXE
- LORDPE.EXE
- LSETUP.EXE
- LUALL.EXE
- LUAU.EXE
- LUCOMSERVER.EXE
- LUINIT.EXE
- LUSPT.EXE
- MAPISVC32.EXE
- MCAGENT.EXE
- MCMNHDLR.EXE
- MCSHIELD.EXE
- MCTOOL.EXE
- MCUPDATE.EXE
- MCVSRTE.EXE
- MCVSSHLD.EXE
- MD.EXE
- MFIN32.EXE
- MFW2EN.EXE
- MFWENG3.02D30.EXE
- MGAVRTCL.EXE
- MGAVRTE.EXE
- MGHTML.EXE
- MGUI.EXE
- MINILOG.EXE
- MMOD.EXE
- MONITOR.EXE
- MOOLIVE.EXE
- MOSTAT.EXE
- MPFAGENT.EXE
- MPFSERVICE.EXE
- MPFTRAY.EXE
- MRFLUX.EXE
- MSAPP.EXE
- MSBB.EXE
- MSBLAST.EXE
- MSCACHE.EXE
- MSCCN32.EXE
- MSCMAN.EXE
- MSCONFIG.EXE
- MSDM.EXE
- MSDOS.EXE
- MSIEXEC16.EXE
- MSINFO32.EXE
- MSLAUGH.EXE
- MSMGT.EXE
- MSMSGRI32.EXE
- MSSMMC32.EXE
- MSSYS.EXE
- MSVXD.EXE
- MU0311AD.EXE
- MWATCH.EXE
- N32SCANW.EXE
- NAV.EXE
- NAVAP.NAVAPSVC.EXE
- NAVAPSVC.EXE
- NAVAPW32.EXE
- NAVDX.EXE
- NAVENGNAVEX15.NAVLU32.EXE
- NAVLU32.EXE
- NAVNT.EXE
- NAVSTUB.EXE
- NAVW32.EXE
- NAVWNT.EXE
- NC2000.EXE
- NCINST4.EXE
- NDD32.EXE
- NEOMONITOR.EXE
- NEOWATCHLOG.EXE
- NETARMOR.EXE
- NETD32.EXE
- NETINFO.EXE
- NETMON.EXE
- NETSCANPRO.EXE
- NETSPYHUNTER-1.2.EXE
- NETSTAT.EXE
- NETUTILS.EXE
- NISSERV.EXE
- NISUM.EXE
- NMAIN.EXE
- NOD32.EXE
- NORMIST.EXE
- NORTON_INTERNET_SECU_3.0_407.EXE
- NOTSTART.EXE
- NPF40_TW_98_NT_ME_2K.EXE
- NPFMESSENGER.EXE
- NPROTECT.EXE
- NPSCHECK.EXE
- NPSSVC.EXE
- NSCHED32.EXE
- NSSYS32.EXE
- NSTASK32.EXE
- NSUPDATE.EXE
- NT.EXE
- NTRTSCAN.EXE
- NTVDM.EXE
- NTXconfig.EXE
- NUI.EXE
- NUPGRADE.EXE
- NVARCH16.EXE
- NVC95.EXE
- NVSVC32.EXE
- NWINST4.EXE
- NWSERVICE.EXE
- NWTOOL16.EXE
- OLLYDBG.EXE
- ONSRVR.EXE
- OPTIMIZE.EXE
- OSTRONET.EXE
- OTFIX.EXE
- OUTPOST.EXE
- OUTPOSTINSTALL.EXE
- OUTPOSTPROINSTALL.EXE
- PADMIN.EXE
- PANIXK.EXE
- PATCH.EXE
- PAVCL.EXE
- PAVPROXY.EXE
- PAVSCHED.EXE
- PAVW.EXE
- PCC2002S902.EXE
- PCC2K_76_1436.EXE
- PCCIOMON.EXE
- PCCNTMON.EXE
- PCCWIN97.EXE
- PCCWIN98.EXE
- PCDSETUP.EXE
- PCFWALLICON.EXE
- PCIP10117_0.EXE
- PCSCAN.EXE
- PDSETUP.EXE
- PENIS.EXE
- PERISCOPE.EXE
- PERSFW.EXE
- PERSWF.EXE
- PF2.EXE
- PFWADMIN.EXE
- PGMONITR.EXE
- PINGSCAN.EXE
- PLATIN.EXE
- POP3TRAP.EXE
- POPROXY.EXE
- POPSCAN.EXE
- PORTDETECTIVE.EXE
- PORTMONITOR.EXE
- POWERSCAN.EXE
- PPINUPDT.EXE
- PPTBC.EXE
- PPVSTOP.EXE
- PRIZESURFER.EXE
- PRMT.EXE
- PRMVR.EXE
- PROCDUMP.EXE
- PROCESSMONITOR.EXE
- PROCEXPLORERV1.0.EXE
- PROGRAMAUDITOR.EXE
- PROPORT.EXE
- PROTECTX.EXE
- PSPF.EXE
- PURGE.EXE
- PUSSY.EXE
- PVIEW95.EXE
- QCONSOLE.EXE
- QSERVER.EXE
- RAPAPP.EXE
- RAV7.EXE
- RAV7WIN.EXE
- RAV8WIN32ENG.EXE
- RAY.EXE
- RB32.EXE
- RCSYNC.EXE
- REALMON.EXE
- REGED.EXE
- REGEDIT.EXE
- REGEDT32.EXE
- RESCUE.EXE
- RESCUE32.EXE
- RRGUARD.EXE
- RSHELL.EXE
- RTVSCAN.EXE
- RTVSCN95.EXE
- RULAUNCH.EXE
- RUN32DLL.EXE
- RUNDLL16.EXE
- RUXDLL32.EXE
- SAFEWEB.EXE
- SAHAGENT.EXE
- SAVE.EXE
- SAVENOW.EXE
- SBSERV.EXE
- SC.EXE
- SCAM32.EXE
- SCAN32.EXE
- SCAN95.EXE
- SCANPM.EXE
- SCRSCAN.EXE
- SCRSVR.EXE
- SCVHOST.EXE
- SD.EXE
- SERV95.EXE
- SERVICE.EXE
- SERVLCE.EXE
- SERVLCES.EXE
- SETUP_FLOWPROTECTOR_US.EXE
- SETUPVAMEEVAL.EXE
- SFC.EXE
- SGSSFW32.EXE
- SH.EXE
- SHELLSPYINSTALL.EXE
- SHN.EXE
- SHOWBEHIND.EXE
- SMC.EXE
- SMS.EXE
- SMSS32.EXE
- SOAP.EXE
- SOFI.EXE
- SPERM.EXE
- SPF.EXE
- SPHINX.EXE
- SPOLER.EXE
- SPOOLCV.EXE
- SPOOLSV32.EXE
- SPYXX.EXE
- SREXE.EXE
- SRNG.EXE
- SS3EDIT.EXE
- SSG_4104.EXE
- SSGRATE.EXE
- ST2.EXE
- START.EXE
- STCLOADER.EXE
- SUPFTRL.EXE
- SUPPORT.EXE
- SUPPORTER5.EXE
- SVC.EXE
- SVCHOSTC.EXE
- SVCHOSTS.EXE
- SVSHOST.EXE
- SWEEP95.EXE
- SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
- SYMPROXYSVC.EXE
- SYMTRAY.EXE
- SYSEDIT.EXE
- SYSTEM.EXE
- SYSTEM32.EXE
- SYSUPD.EXE
- TASKMG.EXE
- TASKMO.EXE
- TASKMON.EXE
- TAUMON.EXE
- TBSCAN.EXE
- TC.EXE
- TCA.EXE
- TCM.EXE
- TDS-3.EXE
- TDS2-98.EXE
- TDS2-NT.EXE
- TEEKIDS.EXE
- TFAK.EXE
- TFAK5.EXE
- TGBOB.EXE
- TITANIN.EXE
- TITANINXP.EXE
- TRACERT.EXE
- TRICKLER.EXE
- TRJSCAN.EXE
- TRJSETUP.EXE
- TROJANTRAP3.EXE
- TSADBOT.EXE
- TVMD.EXE
- TVTMD.EXE
- UNDOBOOT.EXE
- UPDAT.EXE
- UPDATE.EXE
- UPGRAD.EXE
- UTPOST.EXE
- VBCMSERV.EXE
- VBCONS.EXE
- VBUST.EXE
- VBWIN9X.EXE
- VBWINNTW.EXE
- VCSETUP.EXE
- VET32.EXE
- VET95.EXE
- VETTRAY.EXE
- VFSETUP.EXE
- VIR-HELP.EXE
- VIRUSMDPERSONALFIREWALL.EXE
- VNLAN300.EXE
- VNPC3000.EXE
- VPC32.EXE
- VPC42.EXE
- VPFW30S.EXE
- VPTRAY.EXE
- VSCAN40.EXE
- VSCENU6.02D30.EXE
- VSCHED.EXE
- VSECOMR.EXE
- VSHWIN32.EXE
- VSISETUP.EXE
- VSMAIN.EXE
- VSMON.EXE
- VSSTAT.EXE
- VSWIN9XE.EXE
- VSWINNTSE.EXE
- VSWINPERSE.EXE
- W32DSM89.EXE
- W9X.EXE
- WATCHDOG.EXE
- WEBDAV.EXE
- WEBSCANX.EXE
- WEBTRAP.EXE
- WFINDV32.EXE
- WGFE95.EXE
- WHOSWATCHINGME.EXE
- WIMMUN32.EXE
- WIN-BUGSFIX.EXE
- WIN32.EXE
- WIN32US.EXE
- WINACTIVE.EXE
- WINDOW.EXE
- WINDOWS.EXE
- WININETD.EXE
- WININIT.EXE
- WININITX.EXE
- WINLOGIN.EXE
- WINMAIN.EXE
- WINNET.EXE
- WINPPR32.EXE
- WINRECON.EXE
- WINSERVN.EXE
- WINSSK32.EXE
- WINSTART.EXE
- WINSTART001.EXE
- WINTSK32.EXE
- WINUPDATE.EXE
- WKUFIND.EXE
- WNAD.EXE
- WNT.EXE
- WRADMIN.EXE
- WRCTRL.EXE
- WSBGATE.EXE
- WUPDATER.EXE
- WUPDT.EXE
- WYVERNWORKSFIREWALL.EXE
- XPF202EN.EXE
- ZAPRO.EXE
- ZAPSETUP3001.EXE
- ZATUTOR.EXE
- ZONALM2601.EXE
- ZONEALARM.EXE
- Sends HTTP POST messages containing large amounts of data (250 KB per POST message) to the following hosts:
- www.ryan1918.net
- www.ryan1918.org
- www.ryan1918.com
- yahoo.co.jp
- www.nifty.com
- www.d1asia.com
- www.st.lib.keio.ac.jp
- www.lib.nthu.edu.tw
- www.above.net
- www.level3.com
- nitro.ucsc.edu
- www.burst.net
- www.cogentco.com
- www.rit.edu
- www.nocster.com
- www.verio.com
- www.stanford.edu
- www.xo.net
- de.yahoo.com
- www.belwue.de
- www.switch.ch
- www.1und1.deverio.fr
- www.utwente.nl
- www.schlund.net
- Connects to a remote IRC server and awaits commands from the remote attacker. The backdoor allows the attacker to perform the following actions on a compromised system:
- Run commands
- Retrieve files via FTP and HTTP
- Retrieve data from the registry
- Restart the computer
- List processes
- Kill a particular process
- Terminate Windows services
- Perform HTTP, ICMP, SYN, and UDP floods
- Retrieve email addresses stored on the computer
- Retrieve a list of email addresses via HTTP
- Retrieve a given URL
- Sniff HTTP, FTP, and IRC traffic
- Steal the Windows product ID and the CD keys of various video games
- Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Patch
- Download and install the following patches:
- Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
- Windows Workstation Service Remote Buffer Overflow: http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
- Local Security Authority Subsystem Service (LSASS) Vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |