Summary

The Agobot.VS variant was found on October 27th, 2004. We received several reports about it from the field. This backdoor is functionality similar to previous Agobot variants.

Disinfection

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

RPC/Locator (MS03-001):

http://www.microsoft.com/technet/security/bulletin/MS03-001.mspx

WebDAV (MS03-007):

http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

LSASS (MS04-011):

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Manual disinfection of this Agobot variant requires killing the backdoor's process in memory and deletion of the infected file from Windows System folder. The file name is 'winl0g0n.exe'. There are zeroes instead of 'o' letters in the file name: do not confuse this file with a Windows component named 'winlogon.exe'!

If the infection is in a local network, please follow the instructions on this webpage:

http://www.f-secure.com/v-descs/netdisinf.shtml

Please note that the F-Bot and F-Agobot tools do not disinfect this Agobot variant yet.

Detection

F-Secure Anti-Virus detects this backdoor as 'Backdoor.Agobot.VS' with the following updates:

[FSAV_Database_Version]
Version=2004-10-27_05

Writeup: Alexey Podrezov; October 27th, 2004;

F-Secure Corporation