The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of previous Agobot variant can be found here:
https://www.europe.f-secure.com/v-descs/agobot_f.shtml
The generic description of Agobot can be found here:
The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.
Detailed information and patches are available from the following pages:
RPC/DCOM (MS03-026, fixed by MS03-039):
https://www.microsoft.com/technet/security/bulletin/MS03-039.asp
RPC/Locator (MS03-001):
https://www.microsoft.com/technet/security/bulletin/MS03-001.asp
WebDAV (MS03-007):
https://www.microsoft.com/technet/security/bulletin/MS03-007.asp
The neccessary patches can be downloaded from the pages above under the "Patch availability" section.
F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
There are some differences in this backdoor variant comparing to previous variants:
The Agobot.p backdoor copies itself as LSAS.EXE and WINHLPP32.EXE files to an infected system.
When spreading to local network, Agobot.p probes the following shares:
c$ d$ e$ print$ admin$
Agobot.p tries to connect using the following account names:
Administrator admin administrator Administrateur Default mgmt Standard User Administrador Owner Test Guest Gast Inviter a aaa abc x xyz Dell home pc test temp win asdf qwer login
When connecting, Agobot.p uses the following passwords:
admin Admin password Password 1 12 123 1234 12345 123456 1234567 12345678 123456789 654321 54321 111 000000 00000000 11111111 88888888 pass passwd database abcd oracle sybase 123qwe server computer Internet super 123asd ihavenopass godblessyou enable xp 2002 2003 2600 0 110 111111 121212 123123 1234qwer 123abc 007 alpha patrick pat administrator root sex god foobar a aaa abc test temp win pc asdf secret qwer yxcv zxcv home xxx owner login Login pwd pass love mypc mypass pw
Agobot.p tries to kill the following processes:
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE
Agobot.p also terminates processes belonging to other malware:
tftpd.exe dllhost.exe winppr32.exe mspatch.exe penis32.exe msblast.exe regloadr.exe explore.exe scvhosl.exe
Agobot.p tries to steal CD keys from the following games:
Half Life Half Life: Counterstrike Unreal Tournament 2003 The Gladiators Need For Speed Hot Pursuit 2 FIFA 2002 FIFA 2003 NHL 2002 NHL 2003 Nascar Racing 2002 Nascar Racing 2003 Battlefield 1942 Battlefield 1942: The Road to Rome Battlefield 1942 Secret Weapons of WWII Command & Conquer: Generals Command & Conquer: Red Alert Command & Conquer: Red Alert 2 Command & Conquer: Tiberian Sun Project IGI 2 NOX LoMaM Neverwinter Nights Soldier of Fortune II - Double Helix