Malware type: Worm

Aliases: Backdoor.Win32.Agobot.kb (Kaspersky), W32/Gaobot.worm.gen.t (McAfee), W32.Spybot.Worm (Symantec), Worm/AgoBot.KB.1 (Avira), W32/Agobot-AGG (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP, Server 2003

Encrypted: No

Description: 

This worm propagates via network shares. It drops copies of itself to certain shared folders. If the said shares are password-protected, it uses a list of user names and passwords to gain access.

In addition, it exploits the following Windows vulnerabilities to propagate across networks:

• RPCSS vulnerability
• LSASS vulnerability

For more information on the said vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-039
• Microsoft Security Bulletin MS04-011

It has backdoor capabilities. Using IRC port 6667, it connects to an Internet Relay Chat (IRC) server and joins a channel. Once a connection is established, it allows a remote user to issue commands. The said commands are executed locally, effectively compromising the affected system.

It disables services by modifying related registry entries. It also terminates processes related to antivirus and security applications. It also terminates processes related to other malware programs.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 6, 2006 4:01:03 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.