Backdoor:W32/Agobot.FO is a variant from the Agobot
This backdoor has functionality similar to previous-released variants, but is more powerful, being able to harvest e-mail addresses, launch Distributed Denial of Service (DDoS) attacks and more. Agobot.FO propagates over network shares.
Agobot.FO's code has a 'Phatbot3' identifier and there are a few 'phat' text strings in its body. As the original Agobot author is known as TheAgo, its possible the identifier indicates that this variant is made by a different person or group.
The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.
Agobot.FO was found in March, 2004 and has become relatively widespread.
During installation, Agobot.FO copies itself as NVCHIP4.EXE file to the Windows System folder and creates startup keys for this file in System Registry:
"nVidia Chip4" = "nvchip4.exe"
"nVidia Chip4" = "nvchip4.exe"
This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Propagation (Network Shares)
Agobot.FO can scan for computers connected to the infected machine over a local network and copy itself to other accessible machines. The scan must be initiated by a remote attacker.
When spreading over the local network, Agobot.FO probes the following shares:
It tries to connect using the following account names:
When connecting, Agobot.FO uses the following passwords:
If the worm succeeds in connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.
- IRC Bot
The backdoor is controlled via an IRC bot that is created on a certain IRC server in a specific channel when the the backdoor's file is active.
The following oprerations can be performed via tbe bot:
- display bot info
- terminate bot
- resolve host/ip by DNS
- start an executable file
- display current bot ID
- change a nickname of a bot
- open any file
- remove bot
- remove bot if it doesn't match certain criteria
- generate random name for a bot
- get bot status
- display system info
- check bot's uptime
- quit the bot
- flush bot's DNS cache
- delete shares and disable DCOM
- re-create shares and enable DCOM
- run a command on a system
- repeat the last action
- enable or disable shell handler
- list all available commands
- redirect HTTPS traffic
- redirect HTTP traffic
- redirect traffic on certian sockets
- load a plugin (unloading is not supported yet)
- change IRC server that the bot connects to
- reconned to IRC server
- send a raw message to IRC server
- send a private message
- part a channel
- print network info
- change channel mode
- gets host info
- join a specified channel
- checks if working from .edu domain
- disconnect from IRC
- enable sniffers (http, ftp, irc, bot)
- spam AOL channel
- enable IdentD server
- save/load configuration settings to a file
- accesses certain variables in configuration file
- enable/disable starting as a service
- adds/deletes autostart key in the Registry
- execute command if certain conditions are met
- download and execute a file from an ftp server
- update the bot from an ftp server
- download a file from ftp server
- update the bot from http server
- download a file from http server
- visit a specified URL
- log off current user
- shutdown a computer
- reboot a computer
- kill specified process
- list all processes
- Scanning for Vulnerabilities & Infections
The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities.
he backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).
- Distributed Denial of Service attack
The backdoor can perform the following types of DDoS attacks:
- HTTP flood
- SYN flood
- UDP flood
- ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.
The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
- E-mail Address Collection
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.
- System Registry Information Collection
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.
- Terminating Processes
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names: