Malware type: Worm

Aliases: Backdoor.Win32.Agobot.gen (Kaspersky), W32/Gaobot.worm.gen.g (McAfee), W32.HLLW.Gaobot (Symantec), Worm/SdBot.94092.1 (Avira), W32/Agobot-AGF (Sophos), Worm:Win32/Gaobot (Microsoft)

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 2000, XP

Encrypted: No

Description: 

This memory-resident worm propagates through network-shared folders.

Like the earlier AGOBOT variant, WORM_AGOBOT.AN, it also exploits certain vulnerabilities to propagate across the network. It takes advantage of the following Windows vulnerabilities:

• Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
• IIS5/WEBDAV Buffer Overflow vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS03-001.

This worm also has backdoor capabilities. It randomly opens a TCP port where it waits for connection from a remote user. It also connects to an IRC channel and waits for commands from a remote malicious user.

It allows a remote user to perform the following malicious actions:

• Log off user
• Shut down the machine
• Reboot the machine
• Connect to a different IRC server
• Reconnect to an IRC server
• Send raw message to the IRC server
• Quit from the IRC session
• Send a private message
• Leave a channel
• Print netinfo
• Perform a mode change
• Join a channel
• Disconnect from IRC server

It also terminates antivirus-related processes and steals CD keys of certain game applications.

It is compressed with Neolite and runs on Windows 2000 and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 6, 2003 9:43:49 AM GMT -0800
Description updated: Nov. 6, 2003 12:16:58 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.