F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Agobot.AX

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Agobot.AX
ALIAS:Backdoor.Agobot.3.ax, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot

Summary

The Agobot.AX variant was found on 26th of November 2003. This backdoor has functionality similar to its previous variants, but it is more powerful than earlier versions. Generic description of Agobot and information on previous Agobot variants can be found here:

http://www.f-secure.com/v-descs/agobot.shtml

Disinfection

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus can detect and delete the Agobot infected files.

Back to the Top


Detailed Description

There are some differences in this backdoor variant comparing to its previous variants. They are described below.

Installation to system

The Agobot.ax backdoor copies itself as SCVHOST.EXE file to Windows System folder and creates startup keys for this file in System Registry: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "Configuration Loader" = "scvhost.exe"


 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Configuration Loader" = "scvhost.exe"

On Windows NT-based systems the backdoor can start as a service.

Creating an IRC bot

The backdoor is controlled via an IRC bot, that is created on a certain IRC server in a specific channel when the backdoor's file is active. The following oprerations can be performed with via a bot: 

 * display bot info
 * terminate bot
 * resolve host/ip by DNS
 * start executable file
 * display current bot ID
 * change a nickname of a bot
 * open any file
 * remove bot
 * generate random name for a bot
 * get bot status
 * display system info
 * check bot's uptime
 * quit the bot
 * flush bot's DNS cache
 * delete shares and disable DCOM
 * download and execute a file from ftp server
 * update the bot from ftp server
 * download a file from ftp server
 * download and execute a file from http server
 * update the bot from http server
 * download a file from http server
 * log off current user
 * shutdown a computer
 * reboot a computer
 * kill specified process
 * list all processes
 * change IRC server that the bot connects to
 * reconned to IRC server
 * send a message to IRC server
 * send a private message
 * part a channel
 * print network info
 * change channel mode
 * join a specified channel
 * disconnect from IRC
 * list all available commands
 * redirect HTTP traffic
 * create proxy on certain ports

Collecting e-mail addresses

The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.

Scanning for unpatched computers

The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities.

Performing a DDoS attack

The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks: 

 * HTTP flood
 * SYN flood
 * UDP flood
 * PING flood

The attack can not be performed on the following sites: 

 www.Global-Dimension.org
 Global-Dimension.org
 www.rizon.net
 rizon.net
 starburst.psychz.net
 rolo.psychz.net
 eclipse.psychz.net
 psychz.net
 harr0.com
 www.harr0.com
 ryan1918.com
 www.ryan1918.com

Spreading to local network

When spreading to local network, Agobot.ax probes the following shares: 

 c$
 d$
 e$
 print$

Agobot.ax tries to connect using the following account names: 

 Administrator
 Administrateur
 Coordinatore
 Administrador
 Verwalter
 Ospite
 kanri
 kanri-sha
 admin
 administrator
 Default
 Convidado
 mgmt
 Standard
 User
 Administratör
 administrador
 Owner
 user
 server
 Test
 Guest
 Gast
 Inviter
 a
 aaa
 abc
 x
 xyz
 Dell
 home
 pc
 test
 temp
 win
 asdf
 qwer
 OEM
 root
 wwwadmin
 login
 owner
 mary
 admins
 computer
 xp
 OWNER
 mysql
 database
 teacher
 student

When connecting, Agobot.ax uses the following passwords: 

 admin
 Admin
 password
 Password
 1
 12
 123
 1234
 12345
 123456
 1234567
 12345678
 123456789
 654321
 54321
 111
 000000
 00000000
 11111111
 88888888
 pass
 passwd
 database
 abcd
 oracle
 sybase
 123qwe
 server
 computer
 Internet
 super
 123asd
 ihavenopass
 godblessyou
 enable
 xp
 2002
 2003
 2600
 0
 110
 111111
 121212
 123123
 1234qwer
 123abc
 007
 alpha
 patrick
 pat
 administrator
 root
 sex
 god
 foobar
 a
 aaa
 abc
 test
 temp
 win
 pc
 asdf
 secret
 qwer
 yxcv
 zxcv
 home
 xxx
 owner
 login
 Login
 Coordinatore
 Administrador
 Verwalter
 Ospite
 administrator
 Default
 administrador
 admins
 teacher
 student
 superman
 supersecret
 kids
 penis
 wwwadmin
 database
 changeme
 test123
 user
 private
 69
 root
 654321
 xxyyzz
 asdfghjkl
 mybaby
 vagina
 pussy
 leet
 metal
 work
 school
 mybox
 box
 werty
 baby
 porn
 homework
 secrets
 x
 z
 qwertyuiop
 secret
 Administrateur
 abc123
 password123
 red123
 qwerty
 admin123
 zxcvbnm
 poiuytrewq
 pwd
 pass
 love
 mypc
 mypass
 pw

Teminating processes of security and anti-virus programs

Agobot.ax has a huge list of processes that it is trying to terminate: 

 ACKWIN32.EXE
 ADVXDWIN.EXE
 AGENTSVR.EXE
 ALERTSVC.EXE
 ALOGSERV.EXE
 AMON9X.EXE
 ANTI-TROJAN.EXE
 ANTIVIRUS.EXE
 ANTS.EXE
 APIMONITOR.EXE
 APLICA32.EXE
 APVXDWIN.EXE
 ATCON.EXE
 ATGUARD.EXE
 ATRO55EN.EXE
 ATUPDATER.EXE
 ATWATCH.EXE
 AUPDATE.EXE
 AUTODOWN.EXE
 AUTOUPDATE.EXE
 AVCONSOL.EXE
 AVE32.EXE
 AVGCC32.EXE
 AVGCTRL.EXE
 AVGNT.EXE
 AVGSERV.EXE
 AVGSERV9.EXE
 AVGUARD.EXE
 AVGW.EXE
 AVNT.EXE
 AVP.EXE
 AVP32.EXE
 AVPCC.EXE
 AVPDOS32.EXE
 AVPM.EXE
 AVPTC32.EXE
 AVPUPD.EXE
 AVWIN95.EXE
 AVWINNT.EXE
 AVWUPD32.EXE
 AVWUPSRV.EXE
 AVXMONITOR9X.EXE
 AVXMONITORNT.EXE
 AVXQUAR.EXE
 AckWin32.EXE
 AutoTrace.EXE
 AvSynMgr.AVSYNMGR.EXE
 AvgServ.EXE
 Avgctrl.EXE
 AvkServ.EXE
 Avsched32.EXE
 BD_PROFESSIONAL.EXE
 BIDEF.EXE
 BIDSERVER.EXE
 BIPCP.EXE
 BIPCPEVALSETUP.EXE
 BISP.EXE
 BLACKD.EXE
 BLACKICE.EXE
 BOOTWARN.EXE
 BORG2.EXE
 BS120.EXE
 BlackICE.EXE
 CDP.EXE
 CFGWIZ.EXE
 CFIADMIN.EXE
 CFIAUDIT.EXE
 CFINET.EXE
 CFINET32.EXE
 CLAW95CF.EXE
 CLEAN.EXE
 CLEANER.EXE
 CLEANER3.EXE
 CLEANPC.EXE
 CMGRDIAN.EXE
 CMON016.EXE
 CONNECTIONMONITOR.EXE
 CPD.EXE
 CPF9X206.EXE
 CPFNT206.EXE
 CTRL.EXE
 CV.EXE
 CWNB181.EXE
 CWNTDWMO.EXE
 Claw95.EXE
 Claw95cf.EXE
 DEFWATCH.EXE
 DEPUTY.EXE
 DOORS.EXE
 DPF.EXE
 DPFSETUP.EXE
 DRWATSON.EXE
 DRWEB32.EXE
 DVP95.EXE
 DVP95_0.EXE
 ECENGINE.EXE
 EFPEADM.EXE
 ENT.EXE
 ESAFE.EXE
 ESCANH95.EXE
 ESCANHNT.EXE
 ESCANV95.EXE
 ESPWATCH.EXE
 ETRUSTCIPE.EXE
 EVPN.EXE
 EXANTIVIRUS-CNET.EXE
 EXE.AVXW.EXE
 EXPERT.EXE
 F-AGNT95.EXE
 F-PROT.EXE
 F-PROT95.EXE
 F-STOPW.EXE
 FAST.EXE
 FINDVIRU.EXE
 FIREWALL.EXE
 FLOWPROTECTOR.EXE
 FP-WIN.EXE
 FP-WIN_TRIAL.EXE
 FPROT.EXE
 FRW.EXE
 FSAV.EXE
 FSAV530STBYB.EXE
 FSAV530WTBYB.EXE
 FSAV95.EXE
 GBMENU.EXE
 GBPOLL.EXE
 GENERICS.EXE
 GUARD.EXE
 GUARDDOG.EXE
 HACKTRACERSETUP.EXE
 HTLOG.EXE
 HWPE.EXE
 IAMAPP.EXE
 IAMSERV.EXE
 IAMSTATS.EXE
 IBMASN.EXE
 IBMAVSP.EXE
 ICLOAD95.EXE
 ICLOADNT.EXE
 ICMON.EXE
 ICSUPP95.EXE
 ICSUPPNT.EXE
 IFACE.EXE
 IFW2000.EXE
 IOMON98.EXE
 IPARMOR.EXE
 IRIS.EXE
 ISRV95.EXE
 JAMMER.EXE
 JEDI.EXE
 KAVLITE40ENG.EXE
 KAVPERS40ENG.EXE
 KAVPF.EXE
 KERIO-PF-213-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KILLPROCESSSETUP161.EXE
 LDNETMON.EXE
 LDPRO.EXE
 LDPROMENU.EXE
 LDSCAN.EXE
 LOCALNET.EXE
 LOCKDOWN.EXE
 LOCKDOWN2000.EXE
 LOOKOUT.EXE
 LSETUP.EXE
 LUALL.EXE
 LUAU.EXE
 LUCOMSERVER.EXE
 LUINIT.EXE
 LUSPT.EXE
 MCAGENT.EXE
 MCMNHDLR.EXE
 MCTOOL.EXE
 MCUPDATE.EXE
 MCVSRTE.EXE
 MCVSSHLD.EXE
 MFW2EN.EXE
 MFWENG3.02D30.EXE
 MGAVRTCL.EXE
 MGAVRTE.EXE
 MGHTML.EXE
 MGUI.EXE
 MINILOG.EXE
 MONITOR.EXE
 MOOLIVE.EXE
 MPFAGENT.EXE
 MPFSERVICE.EXE
 MPFTRAY.EXE
 MRFLUX.EXE
 MSCONFIG.EXE
 MSINFO32.EXE
 MSSMMC32.EXE
 MU0311AD.EXE
 MWATCH.EXE
 Mcshield.EXE
 Monitor.EXE
 N32SCANW.EXE
 NAV Auto-Protect.NAV80TRY.EXE
 NAVAP.navapsvc.EXE
 NAVAPSVC.EXE
 NAVAPW32.EXE
 NAVDX.EXE
 NAVENGNAVEX15.NAVLU32.EXE
 NAVLU32.EXE
 NAVNT.EXE
 NAVSTUB.EXE
 NAVW32.EXE
 NAVWNT.EXE
 NC2000.EXE
 NCINST4.EXE
 NDD32.EXE
 NEOMONITOR.EXE
 NETARMOR.EXE
 NETINFO.EXE
 NETMON.EXE
 NETSCANPRO.EXE
 NETSPYHUNTER-1.2.EXE
 NETSTAT.EXE
 NETUTILS.EXE
 NISSERV.EXE
 NISUM.EXE
 NMAIN.EXE
 NOD32.EXE
 NORMIST.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NPFMESSENGER.EXE
 NPROTECT.EXE
 NPSSVC.EXE
 NSCHED32.EXE
 NTVDM.EXE
 NTXconfig.EXE
 NVARCH16.EXE
 NVC95.EXE
 NWINST4.EXE
 NWService.EXE
 NWTOOL16.EXE
 Navw32.EXE
 NeoWatchLog.EXE
 Nui.EXE
 Nupgrade.EXE
 OSTRONET.EXE
 OUTPOST.EXE
 OUTPOSTINSTALL.EXE
 OUTPOSTPROINSTALL.EXE
 PADMIN.EXE
 PANIXK.EXE
 PAVCL.EXE
 PAVPROXY.EXE
 PAVSCHED.EXE
 PAVW.EXE
 PCC2002S902.EXE
 PCC2K_76_1436.EXE
 PCCIOMON.EXE
 PCCWIN98.EXE
 PCDSETUP.EXE
 PCFWALLICON.EXE
 PCIP10117_0.EXE
 PDSETUP.EXE
 PERISCOPE.EXE
 PERSFW.EXE
 PERSWF.EXE
 PF2.EXE
 PFWADMIN.EXE
 PINGSCAN.EXE
 PLATIN.EXE
 POP3TRAP.EXE
 POPROXY.EXE
 POPSCAN.EXE
 PORTDETECTIVE.EXE
 PORTMONITOR.EXE
 PPINUPDT.EXE
 PPTBC.EXE
 PPVSTOP.EXE
 PROCESSMONITOR.EXE
 PROCEXPLORERV1.0.EXE
 PROGRAMAUDITOR.EXE
 PROPORT.EXE
 PROTECTX.EXE
 PSPF.EXE
 PURGE.EXE
 PVIEW95.EXE
 QCONSOLE.EXE
 QSERVER.EXE
 RAV7.EXE
 RAV7WIN.EXE
 RAV8WIN32ENG.EXE
 REALMON.EXE
 REGEDIT.EXE
 REGEDT32.EXE
 RESCUE.EXE
 RESCUE32.EXE
 RRGUARD.EXE
 RSHELL.EXE
 RTVSCN95.EXE
 RULAUNCH.EXE
 SAFEWEB.EXE
 SBSERV.EXE
 SCAN32.EXE
 SCAN95.EXE
 SCANPM.EXE
 SCRSCAN.EXE
 SD.EXE
 SERV95.EXE
 SETUPVAMEEVAL.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SFC.EXE
 SGSSFW32.EXE
 SH.EXE
 SHELLSPYINSTALL.EXE
 SHN.EXE
 SMC.EXE
 SOFI.EXE
 SPF.EXE
 SPHINX.EXE
 SPYXX.EXE
 SS3EDIT.EXE
 ST2.EXE
 SUPFTRL.EXE
 SUPPORTER5.EXE
 SWEEP95.EXE
 SYMPROXYSVC.EXE
 SYMTRAY.EXE
 SYSEDIT.EXE
 Sphinx.EXE
 SweepNet.SWEEPSRV.SYS.SWNETSUP.EXE
 SymProxySvc.EXE
 TASKMON.EXE
 TAUMON.EXE
 TBSCAN.EXE
 TC.EXE
 TCA.EXE
 TCM.EXE
 TDS-3.EXE
 TDS2-98.EXE
 TDS2-NT.EXE
 TFAK.EXE
 TFAK5.EXE
 TGBOB.EXE
 TITANIN.EXE
 TITANINXP.EXE
 TRACERT.EXE
 TRJSCAN.EXE
 TRJSETUP.EXE
 TROJANTRAP3.EXE
 UNDOBOOT.EXE
 UPDATE.EXE
 VBCMSERV.EXE
 VBCONS.EXE
 VBUST.EXE
 VBWIN9X.EXE
 VBWINNTW.EXE
 VCSETUP.EXE
 VET32.EXE
 VET95.EXE
 VETTRAY.EXE
 VFSETUP.EXE
 VIR-HELP.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VNLAN300.EXE
 VNPC3000.EXE
 VPC32.EXE
 VPC42.EXE
 VPFW30S.EXE
 VPTRAY.EXE
 VSCAN40.EXE
 VSCENU6.02D30.EXE
 VSCHED.EXE
 VSECOMR.EXE
 VSISETUP.EXE
 VSMAIN.EXE
 VSMON.EXE
 VSSTAT.EXE
 VSWIN9XE.EXE
 VSWINNTSE.EXE
 VSWINPERSE.EXE
 VbCons.EXE
 Vet95.EXE
 VetTray.EXE
 W32DSM89.EXE
 W9X.EXE
 WATCHDOG.EXE
 WEBSCANX.EXE
 WEBTRAP.EXE
 WFINDV32.EXE
 WGFE95.EXE
 WHOSWATCHINGME.EXE
 WIMMUN32.EXE
 WINRECON.EXE
 WNT.EXE
 WRADMIN.EXE
 WRCTRL.EXE
 WSBGATE.EXE
 WYVERNWORKSFIREWALL.EXE
 WrAdmin.EXE
 WrCtrl.EXE
 XPF202EN.EXE
 ZAPRO.EXE
 ZAPSETUP3001.EXE
 ZATUTOR.EXE
  ZAUINST.EXE
 ZONALM2601.EXE
 ZONEALARM.EXE
 _AVP32.EXE
 _AVPCC.EXE
 _AVPM.EXE
 agentw.EXE
 apvxdwin.EXE
 avkpop.EXE
 avkservice.EXE
 avkwctl9.EXE
 avpm.EXE
 blackd.EXE
 ccApp.EXE
 ccEvtMgr.EXE
 ccPxySvc.EXE
 cleaner.EXE
 cleaner3.EXE
 cpd.EXE
 defalert.EXE
 defscangui.EXE
 f-stopw.EXE
 fameh32.EXE
 fch32.EXE
 fih32.EXE
 fnrb32.EXE
 fsaa.EXE
 fsav32.EXE
 fsgk32.EXE
 fsm32.EXE
 fsma32.EXE
 fsmb32.EXE
 gbmenu.EXE
 gbpoll.EXE
 iamapp.EXE
 iamserv.EXE
 lockdown2000.EXE
 notstart.EXE
 npscheck.EXE
 ntrtscan.EXE
 nvsvc32.EXE
 pavproxy.EXE
 pccntmon.EXE
 pccwin97.EXE
 pcscan.EXE
 rapapp.EXE
 rtvscan.EXE
 sbserv.EXE
 vbcmserv.EXE
 vshwin32.EXE
 vsmon.EXE
 zapro.EXE
 zonealarm.EXE

Agobot.ax also terminates processes belonging to other malware: 

 tftpd.exe
 dllhost.exe
 winppr32.exe
 mspatch.exe
 penis32.exe
 msblast.exe

Stealing CD keys and Product IDs

Agobot.ax tries to steal CD keys from the following games: 

 Half Life
 Half Life: Counterstrike
 LoMaM
 Unreal Tournament 2003
 The Gladiators
 Need For Speed Hot Pursuit 2
 FIFA 2002
 FIFA 2003
 NHL 2002
 NHL 2003
 Nascar Racing 2002
 Nascar Racing 2003
 Battlefield 1942
 Battlefield 1942: The Road to Rome
 Battlefield 1942 Secret Weapons of WWII
 Command & Conquer: Generals
 Command & Conquer: Red Alert
 Command & Conquer: Red Alert 2
 Command & Conquer: Tiberian Sun
 Project IGI 2
 NOX
 Neverwinter Nights
 Soldier of Fortune II - Double Helix
 Chrome
 Hidden and Dangerous 2

This variant of Agobot also steals Windows Product ID.

Back to the Top


Detection

F-Secure Anti-Virus already detects this backdoor generically with the existing updates as 'Backdoor.Agobot.3.gen'.

Back to the Top


Technical Details: Alexey Podrezov; November 26th, 2003;

F-Secure Corporation