W32/AgoBot!worm

description-logoAnalysis

  • Copies itself to the System folder as the following:
    • msiwin84.exe
    • Microsoft.exe
    • WinMsrv32.exe
    • soundcontrl.exe
    • msawindows.exe

    Autostart Mechanism
  • Adds one of these values:
    Microsoft Update = "msiwin84.exe"
    Microsoft Update = "Microsoft.exe"
    WinMsrv32 = "WinMsrv32.exe"
    soundcontrl = "soundcontrl.exe"
    Microsoft Update = "msawindows.exe"
    to the following registry subkeys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    Network Propagation
  • Attempts to propagate to other systems by sending itself through the backdoor ports that are opened by the Bagle and Mydoom family of worms.
  • Exploits the following vulnerabilities:

    Backdoor and/or Trojan Behavior
  • Attempts to terminate certain processes, some of which may be security related, such as:
    • irun4.exe
    • Ssate.exe
    • i11r54n4.exe
    • winsys.exessgrate.exe
    • d3dupdate.exe
    • bbeagle.exerate.exe
    • _AVP32.EXE
    • _AVPCC.EXE
    • _AVPM.EXE
    • ACKWIN32.EXE
    • ADAWARE.EXE
    • ADVXDWIN.EXE
    • AGENTSVR.EXE
    • AGENTW.EXE
    • ALERTSVC.EXE
    • ALEVIR.EXE
    • ALOGSERV.EXE
    • AMON9X.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • APVXDWIN.EXE
    • ARR.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • AU.EXE
    • AUPDATE.EXE
    • AUTO-PROTECT.NAV80TRY.EXE
    • AUTODOWN.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVCONSOL.EXE
    • AVE32.EXE
    • AVGCC32.EXE
    • AVGCTRL.EXE
    • AVGNT.EXE
    • AVGSERV.EXE
    • AVGSERV9.EXE
    • AVGUARD.EXE
    • AVGW.EXE
    • AVKPOP.EXE
    • AVKSERV.EXE
    • AVKSERVICE.EXE
    • AVKWCTl9.EXE
    • AVLTMAIN.EXE
    • AVNT.EXE
    • AVP.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPDOS32.EXE
    • AVPM.EXE
    • AVPTC32.EXE
    • AVPUPD.EXE
    • AVSCHED32.EXE
    • AVSYNMGR.EXE
    • AVWIN95.EXE
    • AVWINNT.EXE
    • AVWUPD.EXE
    • AVWUPD32.EXE
    • AVWUPSRV.EXE
    • AVXMONITOR9X.EXE
    • AVXMONITORNT.EXE
    • AVXQUAR.EXE
    • BACKWEB.EXE
    • BARGAINS.EXE
    • BD_PROFESSIONAL.EXE
    • BEAGLE.EXE
    • BELT.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • BLACKICE.EXE
    • BLSS.EXE
    • BOOTCONF.EXE
    • BOOTWARN.EXE
    • BORG2.EXE
    • BPC.EXE
    • BRASIL.EXE
    • BS120.EXE
    • BUNDLE.EXE
    • BVT.EXE
    • CCAPP.EXE
    • CCEVTMGR.EXE
    • CCPXYSVC.EXE
    • CDP.EXE
    • CFD.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • Claw95.EXE
    • CLAW95CF.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • CLEANER3.EXE
    • CLEANPC.EXE
    • CLICK.EXE
    • CMD32.EXE
    • CMESYS.EXE
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CONNECTIONMONITOR.EXE
    • CPD.EXE
    • CPF9X206.EXE
    • CPFNT206.EXE
    • CTRL.EXE
    • CV.EXE
    • CWNB181.EXE
    • CWNTDWMO.EXE
    • DATEMANAGER.EXE
    • DCOMX.EXE
    • DEFALERT.EXE
    • DEFSCANGUI.EXE
    • DEFWATCH.EXE
    • DEPUTY.EXE
    • DIVX.EXE
    • DLLCACHE.EXE
    • DLLREG.EXE
    • DOORS.EXE
    • DPF.EXE
    • DPFSETUP.EXE
    • DPPS2.EXE
    • DRWATSON.EXE
    • DRWEB32.EXE
    • DRWEBUPW.EXE
    • DSSAGENT.EXE
    • DVP95.EXE
    • DVP95_0.EXE
    • ECENGINE.EXE
    • EFPEADM.EXE
    • EMSW.EXE
    • ENT.EXE
    • ESAFE.EXE
    • ESCANH95.EXE
    • ESCANHNT.EXE
    • ESCANV95.EXE
    • ESPWATCH.EXE
    • ETHEREAL.EXE
    • ETRUSTCIPE.EXE
    • EVPN.EXE
    • EXANTIVIRUS-CNET.EXE
    • EXE.AVXW.EXE
    • EXPERT.EXE
    • EXPLORE.EXE
    • F-AGNT95.EXE
    • F-PROT.EXE
    • F-PROT95.EXE
    • F-STOPW.EXE
    • FAMEH32.EXE
    • FAST.EXE
    • FCH32.EXE
    • FIH32.EXE
    • FINDVIRU.EXE
    • FIREWALL.EXE
    • FLOWPROTECTOR.EXE
    • FNRB32.EXE
    • FP-WIN.EXE
    • FP-WIN_TRIAL.EXE
    • FPROT.EXE
    • FRW.EXE
    • FSAA.EXE
    • FSAV.EXE
    • FSAV32.EXE
    • FSAV530STBYB.EXE
    • FSAV530WTBYB.EXE
    • FSAV95.EXE
    • FSGK32.EXE
    • FSM32.EXE
    • FSMA32.EXE
    • FSMB32.EXE
    • GATOR.EXE
    • GBMENU.EXE
    • GBPOLL.EXE
    • GENERICS.EXE
    • GMT.EXE
    • GUARD.EXE
    • GUARDDOG.EXE
    • HACKTRACERSETUP.EXE
    • HBINST.EXE
    • HBSRV.EXE
    • HOTACTIO.EXE
    • HOTPATCH.EXE
    • HTLOG.EXE
    • HTPATCH.EXE
    • HWPE.EXE
    • HXDL.EXE
    • HXIUL.EXE
    • IAMAPP.EXE
    • IAMSERV.EXE
    • IAMSTATS.EXE
    • IBMASN.EXE
    • IBMAVSP.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IDLE.EXE
    • IEDLL.EXE
    • IEDRIVER.EXE
    • IEXPLORER.EXE
    • IFACE.EXE
    • IFW2000.EXE
    • INETLNFO.EXE
    • INFUS.EXE
    • INFWIN.EXE
    • INIT.EXE
    • INTDEL.EXE
    • INTREN.EXE
    • IOMON98.EXE
    • IPARMOR.EXE
    • IRIS.EXE
    • ISASS.EXE
    • ISRV95.EXE
    • ISTSVC.EXE
    • JAMMER.EXE
    • JDBGMRG.EXE
    • JEDI.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KAVPF.EXE
    • KAZZA.EXE
    • KEENVALUE.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KERNEL32.EXE
    • KILLPROCESSSETUP161.EXE
    • LAUNCHER.EXE
    • LDNETMON.EXE
    • LDPRO.EXE
    • LDPROMENU.EXE
    • LDSCAN.EXE
    • LNETINFO.EXE
    • LOADER.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • LOOKOUT.EXE
    • LORDPE.EXE
    • LSETUP.EXE
    • LUALL.EXE
    • LUAU.EXE
    • LUCOMSERVER.EXE
    • LUINIT.EXE
    • LUSPT.EXE
    • MAPISVC32.EXE
    • MCAGENT.EXE
    • MCMNHDLR.EXE
    • MCSHIELD.EXE
    • MCTOOL.EXE
    • MCUPDATE.EXE
    • MCVSRTE.EXE
    • MCVSSHLD.EXE
    • MD.EXE
    • MFIN32.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGAVRTCL.EXE
    • MGAVRTE.EXE
    • MGHTML.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MMOD.EXE
    • MONITOR.EXE
    • MOOLIVE.EXE
    • MOSTAT.EXE
    • MPFAGENT.EXE
    • MPFSERVICE.EXE
    • MPFTRAY.EXE
    • MRFLUX.EXE
    • MSAPP.EXE
    • MSBB.EXE
    • MSBLAST.EXE
    • MSCACHE.EXE
    • MSCCN32.EXE
    • MSCMAN.EXE
    • MSCONFIG.EXE
    • MSDM.EXE
    • MSDOS.EXE
    • MSIEXEC16.EXE
    • MSINFO32.EXE
    • MSLAUGH.EXE
    • MSMGT.EXE
    • MSMSGRI32.EXE
    • MSSMMC32.EXE
    • MSSYS.EXE
    • MSVXD.EXE
    • MU0311AD.EXE
    • MWATCH.EXE
    • N32SCANW.EXE
    • NAV.EXE
    • NAVAP.NAVAPSVC.EXE
    • NAVAPSVC.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVENGNAVEX15.NAVLU32.EXE
    • NAVLU32.EXE
    • NAVNT.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • NAVWNT.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NEOWATCHLOG.EXE
    • NETARMOR.EXE
    • NETD32.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSTAT.EXE
    • NETUTILS.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NOD32.EXE
    • NORMIST.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NOTSTART.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • NPSCHECK.EXE
    • NPSSVC.EXE
    • NSCHED32.EXE
    • NSSYS32.EXE
    • NSTASK32.EXE
    • NSUPDATE.EXE
    • NT.EXE
    • NTRTSCAN.EXE
    • NTVDM.EXE
    • NTXconfig.EXE
    • NUI.EXE
    • NUPGRADE.EXE
    • NVARCH16.EXE
    • NVC95.EXE
    • NVSVC32.EXE
    • NWINST4.EXE
    • NWSERVICE.EXE
    • NWTOOL16.EXE
    • OLLYDBG.EXE
    • ONSRVR.EXE
    • OPTIMIZE.EXE
    • OSTRONET.EXE
    • OTFIX.EXE
    • OUTPOST.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • PATCH.EXE
    • PAVCL.EXE
    • PAVPROXY.EXE
    • PAVSCHED.EXE
    • PAVW.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • PCCNTMON.EXE
    • PCCWIN97.EXE
    • PCCWIN98.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • PCSCAN.EXE
    • PDSETUP.EXE
    • PENIS.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PERSWF.EXE
    • PF2.EXE
    • PFWADMIN.EXE
    • PGMONITR.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POP3TRAP.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PORTMONITOR.EXE
    • POWERSCAN.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PRIZESURFER.EXE
    • PRMT.EXE
    • PRMVR.EXE
    • PROCDUMP.EXE
    • PROCESSMONITOR.EXE
    • PROCEXPLORERV1.0.EXE
    • PROGRAMAUDITOR.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • PURGE.EXE
    • PUSSY.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • RAPAPP.EXE
    • RAV7.EXE
    • RAV7WIN.EXE
    • RAV8WIN32ENG.EXE
    • RAY.EXE
    • RB32.EXE
    • RCSYNC.EXE
    • REALMON.EXE
    • REGED.EXE
    • REGEDIT.EXE
    • REGEDT32.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCAN.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • RUN32DLL.EXE
    • RUNDLL16.EXE
    • RUXDLL32.EXE
    • SAFEWEB.EXE
    • SAHAGENT.EXE
    • SAVE.EXE
    • SAVENOW.EXE
    • SBSERV.EXE
    • SC.EXE
    • SCAM32.EXE
    • SCAN32.EXE
    • SCAN95.EXE
    • SCANPM.EXE
    • SCRSCAN.EXE
    • SCRSVR.EXE
    • SCVHOST.EXE
    • SD.EXE
    • SERV95.EXE
    • SERVICE.EXE
    • SERVLCE.EXE
    • SERVLCES.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SHOWBEHIND.EXE
    • SMC.EXE
    • SMS.EXE
    • SMSS32.EXE
    • SOAP.EXE
    • SOFI.EXE
    • SPERM.EXE
    • SPF.EXE
    • SPHINX.EXE
    • SPOLER.EXE
    • SPOOLCV.EXE
    • SPOOLSV32.EXE
    • SPYXX.EXE
    • SREXE.EXE
    • SRNG.EXE
    • SS3EDIT.EXE
    • SSG_4104.EXE
    • SSGRATE.EXE
    • ST2.EXE
    • START.EXE
    • STCLOADER.EXE
    • SUPFTRL.EXE
    • SUPPORT.EXE
    • SUPPORTER5.EXE
    • SVC.EXE
    • SVCHOSTC.EXE
    • SVCHOSTS.EXE
    • SVSHOST.EXE
    • SWEEP95.EXE
    • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
    • SYMPROXYSVC.EXE
    • SYMTRAY.EXE
    • SYSEDIT.EXE
    • SYSTEM.EXE
    • SYSTEM32.EXE
    • SYSUPD.EXE
    • TASKMG.EXE
    • TASKMO.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TBSCAN.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS-3.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TEEKIDS.EXE
    • TFAK.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TRACERT.EXE
    • TRICKLER.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • TSADBOT.EXE
    • TVMD.EXE
    • TVTMD.EXE
    • UNDOBOOT.EXE
    • UPDAT.EXE
    • UPDATE.EXE
    • UPGRAD.EXE
    • UTPOST.EXE
    • VBCMSERV.EXE
    • VBCONS.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VET32.EXE
    • VET95.EXE
    • VETTRAY.EXE
    • VFSETUP.EXE
    • VIR-HELP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC32.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCAN40.EXE
    • VSCENU6.02D30.EXE
    • VSCHED.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WEBDAV.EXE
    • WEBSCANX.EXE
    • WEBTRAP.EXE
    • WFINDV32.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • WIMMUN32.EXE
    • WIN-BUGSFIX.EXE
    • WIN32.EXE
    • WIN32US.EXE
    • WINACTIVE.EXE
    • WINDOW.EXE
    • WINDOWS.EXE
    • WININETD.EXE
    • WININIT.EXE
    • WININITX.EXE
    • WINLOGIN.EXE
    • WINMAIN.EXE
    • WINNET.EXE
    • WINPPR32.EXE
    • WINRECON.EXE
    • WINSERVN.EXE
    • WINSSK32.EXE
    • WINSTART.EXE
    • WINSTART001.EXE
    • WINTSK32.EXE
    • WINUPDATE.EXE
    • WKUFIND.EXE
    • WNAD.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WRCTRL.EXE
    • WSBGATE.EXE
    • WUPDATER.EXE
    • WUPDT.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE

  • Sends HTTP POST messages containing large amounts of data (250 KB per POST message) to the following hosts:
    • www.ryan1918.net
    • www.ryan1918.org
    • www.ryan1918.com
    • yahoo.co.jp
    • www.nifty.com
    • www.d1asia.com
    • www.st.lib.keio.ac.jp
    • www.lib.nthu.edu.tw
    • www.above.net
    • www.level3.com
    • nitro.ucsc.edu
    • www.burst.net
    • www.cogentco.com
    • www.rit.edu
    • www.nocster.com
    • www.verio.com
    • www.stanford.edu
    • www.xo.net
    • de.yahoo.com
    • www.belwue.de
    • www.switch.ch
    • www.1und1.deverio.fr
    • www.utwente.nl
    • www.schlund.net

  • Connects to a remote IRC server and awaits commands from the remote attacker. The backdoor allows the attacker to perform the following actions on a compromised system:
    • Run commands
    • Retrieve files via FTP and HTTP
    • Retrieve data from the registry
    • Restart the computer
    • List processes
    • Kill a particular process
    • Terminate Windows services
    • Perform HTTP, ICMP, SYN, and UDP floods
    • Retrieve email addresses stored on the computer
    • Retrieve a list of email addresses via HTTP
    • Retrieve a given URL
    • Sniff HTTP, FTP, and IRC traffic
    • Steal the Windows product ID and the CD keys of various video games

  • Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
    127.0.0.1 www.symantec.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 symantec.com
    127.0.0.1 www.sophos.com
    127.0.0.1 sophos.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 f-secure.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 kaspersky.com
    127.0.0.1 kaspersky-labs.com
    127.0.0.1 www.avp.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 avp.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 networkassociates.com
    127.0.0.1 www.ca.com
    127.0.0.1 ca.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 my-etrust.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 secure.nai.com
    127.0.0.1 nai.com
    127.0.0.1 www.nai.com
    127.0.0.1 update.symantec.com
    127.0.0.1 updates.symantec.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 liveupdate.symantec.com
    127.0.0.1 customer.symantec.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 trendmicro.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.grisoft.com

recommended-action-logoRecommended Action

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-04-05 90.01122
2022-02-01 89.09237
2022-01-25 89.09023
2022-01-11 89.08603
2021-11-22 89.07104
2021-11-12 89.06800
2021-01-12 83.24200 Sig Updated
2020-10-22 81.28000 Sig Updated
2020-10-13 81.06700 Sig Updated
2020-08-15 79.63700 Sig Updated