The Agobot.f variant was reported by several customers in the
beginning of September 2003. This backdoor has functionality
similar to previous variants. The generic description of Agobot
can be found here:
When Agobot enters a system first it copies itself to the System
Directory using the filename 'scvhost.exe'. This file is then
added to the registry as
After startup Agobot connects to a predefined IRC server on port
9900. On the server it joins a channel and awaits for further
commands.
The IRC interface provides the remote attacker with a set of
commands to
- control the bot (IRC name it uses, IRC channel, etc.)
- download and execute arbitrary programs on the computer
- scan for vulnerable hosts and install the worm on them
- perform Distributed Denial of Service (DDoS) attacks
- use the infected as a TCP proxy
- steal CD keys of games
Network propagation
Agobot has several different methods to spread through the
network.
The
RPC/DCOM
and
RPC/Locator
vulnerability based spreading routines are enabled by default.
The worm starts to scan for vulnerable hosts with these upon
execution.
Using these exploits Agobot scans random IP addresses. If it can
successfully penetrate a host it downloads itself there. The
download comes from the attacker host from a random port where
the worm runs a simple server that responds with the worm as an
answer when connected. The worm is copied to a file on the remote
host to a file called 'winhlpp32.exe' and started.
Other method of spreading uses the
WebDAV (MS03-007)
vulnerability to copy the worm to the remote host.
To propagate in local area networks Agobot has a separate routine
that connect to Windows computers and tries to copy itself using
the Administrator account trying with different trivial
passwords. The worm has the translated names for administrator
(eg. Administrateur) and a list of insecure passwords like
'password', 'xyz' etc.
![](/images/pixel.gif"){kind=tracking}
