Malware type: Worm

Aliases: Backdoor.Win32.Agobot.gen (Kaspersky), W32/Gaobot.worm.gen.d (McAfee), W32.HLLW.Gaobot.gen (Symantec), Worm/AgoBot.LY (Avira), Mal/Behav-134 (Sophos),

In the wild: Yes

Language: English

Platform: Windows 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This worm arrives and propagates via network shares. To propagate, it attempts to drop copies of itself into certain network shares.

It also exploits the Windows LSASS vulnerability to propagate across networks. This vulnerability is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system.

More information on this vulnerability can be found on the following Web page:

Microsoft Security Bulletin MS04-011

This worm has backdoor capabilities. It acts as an IRC bot that connects to a certain IRC server, where it listens for commands coming from a remote malicious user. It executes these commands locally on an affected system, providing the user virtual control over the system.

It terminates certain processes. It also deletes certain network shares. It also hides files with file names that contain the string "soun".

It modifies the HOSTS file to prevent access to certain antivirus and security-related Web sites.

It is capable of launching denial of service (DoS) attacks against traget sites.

It steals the Microsoft Windows Product ID. It also steals AOL Instant Messenger and .NET Messenger Service account information, as well as CD keys of certain games.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 29, 2005 8:21:32 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.