Malware type: Worm

Aliases: Backdoor.Win32.Agobot.gen (Kaspersky), W32/Gaobot.worm.gen.q (McAfee), W32.HLLW.Gaobot.gen (Symantec), TR/Crypt.XPACK.Gen (Avira), W32/Agobot-CC (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000 , XP

Encrypted: No

Description: 

This memory-resident worm drops and executes a copy of itself as the file CSSRS.EXE in the Windows system directory.

It takes advantage of the following system vulnerabilities:

• DCOM RPC vulnerability using TCP port 135
• RPC Locator vulnerability using TCP port 445
• WebDav vulnerability using TCP port 80

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

• Microsoft Security Bulletin MS03-026
• Microsoft Security Bulletin MS03-001
• Microsoft Security Bulletin MS03-007

It also has the following capabilities:

• Attempt to gain access to specific shared folders on the network using a predefined list of user names and passwords
• Connect to an Internet Relay Chat (IRC) channel and listens for commands from a remote user
• Allow the malicious user to perform several malicious tasks on a vulnerable system
• Terminate antivirus products, firewall programs, and system tools

It runs on Windows NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 21, 2004 2:46:00 PM GMT -0800
Description updated: Jan. 21, 2004 2:45:57 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.