The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The generic description of Agobot can be found here:
The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.
Detailed information and patches are available from the following pages:
RPC/DCOM (MS03-026, fixed by MS03-039):
https://www.microsoft.com/technet/security/bulletin/MS03-039.asp
RPC/Locator (MS03-001):
https://www.microsoft.com/technet/security/bulletin/MS03-001.asp
WebDAV (MS03-007):
https://www.microsoft.com/technet/security/bulletin/MS03-007.asp
The neccessary patches can be downloaded from the pages above under the "Patch availability" section.
F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When Agobot enters a system first it copies itself to the System Directory using the filename 'scvhost.exe'. This file is then added to the registry as
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Config Loader]
and
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Config Loader]
After startup Agobot connects to a predefined IRC server on port 9900. On the server it joins a channel and awaits for further commands.
The IRC interface provides the remote attacker with a set of commands to
- control the bot (IRC name it uses, IRC channel, etc.).
- download and execute arbitrary programs on the computer
- scan for vulnerable hosts and install the worm on them
- perform Distributed Denial of Service (DDoS) attacks
- use the infected as a TCP proxy
- steal CD keys of games
Agobot has several different methods to spread through the network.
The RPC/DCOM and RPC/Locator vulnerability based spreading routines are enabled by default. The worm starts to scan for vulnerable hosts with these upon execution.
Using these exploits Agobot scans random IP addresses. If it can successfully penetrate a host it downloads itself there. The download comes from the attacker host from a random port where the worm runs a simple server that responds with the worm as an answer when connected. The worm is copied to a file on the remote host to a file called 'winhlpp32.exe' and started.
Other method of spreading uses the WebDAV (MS03-007) vulnerability to copy the worm to the remote host.
To propagate in local area networks Agobot has a separate routine that connect to Windows computers and tries to copy itself using the Administrator account trying with different trivial passwords. The worm has the translated names for administrator (eg. Administrateur) and a list of insecure passwords like 'password', 'xyz' etc.