Home > Threat descriptions >

Agobot.P

Classification

Category: Malware

Type: -

Aliases: Agobot.P, Backdoor.Agobot.3.p, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot

Summary


The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of previous Agobot variant can be found here:

https://www.europe.f-secure.com/v-descs/agobot_f.shtml

The generic description of Agobot can be found here:

https://www.europe.f-secure.com/v-descs/agobot.shtml

Removal


The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

https://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

https://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

https://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


There are some differences in this backdoor variant comparing to previous variants:

The Agobot.p backdoor copies itself as LSAS.EXE and WINHLPP32.EXE files to an infected system.

When spreading to local network, Agobot.p probes the following shares:

c$
d$
e$
print$
admin$


Agobot.p tries to connect using the following account names:

Administrator
admin
administrator
Administrateur
Default
mgmt
Standard
User
Administrador
Owner
Test
Guest
Gast
Inviter
a
aaa
abc
x
xyz
Dell
home
pc
test
temp
win
asdf
qwer
login


When connecting, Agobot.p uses the following passwords:

admin
Admin
password
Password
1
12
123
1234
12345
123456
1234567
12345678
123456789
654321
54321
111
000000
00000000
11111111
88888888
pass
passwd
database
abcd
oracle
sybase
123qwe
server
computer
Internet
super
123asd
ihavenopass
godblessyou
enable
xp
2002
2003
2600
0
110
111111
121212
123123
1234qwer
123abc
007
alpha
patrick
pat
administrator
root
sex
god
foobar
a
aaa
abc
test
temp
win
pc
asdf
secret
qwer
yxcv
zxcv
home
xxx
owner
login
Login
pwd
pass
love
mypc
mypass
pw

Agobot.p tries to kill the following processes:

ZONEALARM.EXE
WFINDV32.EXE
WEBSCANX.EXE
VSSTAT.EXE
VSHWIN32.EXE
VSECOMR.EXE
VSCAN40.EXE
VETTRAY.EXE
VET95.EXE
TDS2-NT.EXE
TDS2-98.EXE
TCA.EXE
TBSCAN.EXE
SWEEP95.EXE
SPHINX.EXE
SMC.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
SCAN95.EXE
SCAN32.EXE
SAFEWEB.EXE
RESCUE.EXE
RAV7WIN.EXE
RAV7.EXE
PERSFW.EXE
PCFWALLICON.EXE
PCCWIN98.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
PADMIN.EXE
OUTPOST.EXE
NVC95.EXE
NUPGRADE.EXE
NORMIST.EXE
NMAIN.EXE
NISUM.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
MPFTRAY.EXE
MOOLIVE.EXE
LUALL.EXE
LOOKOUT.EXE
LOCKDOWN2000.EXE
JEDI.EXE
IOMON98.EXE
IFACE.EXE
ICSUPPNT.EXE
ICSUPP95.EXE
ICMON.EXE
ICLOADNT.EXE
ICLOAD95.EXE
IBMAVSP.EXE
IBMASN.EXE
IAMSERV.EXE
IAMAPP.EXE
FRW.EXE
FPROT.EXE
FP-WIN.EXE
FINDVIRU.EXE
F-STOPW.EXE
F-PROT95.EXE
F-PROT.EXE
F-AGNT95.EXE
ESPWATCH.EXE
ESAFE.EXE
ECENGINE.EXE
DVP95_0.EXE
DVP95.EXE
CLEANER3.EXE
CLEANER.EXE
CLAW95CF.EXE
CLAW95.EXE
CFINET32.EXE
CFINET.EXE
CFIAUDIT.EXE
CFIADMIN.EXE
BLACKICE.EXE
BLACKD.EXE
AVWUPD32.EXE
AVWIN95.EXE
AVSCHED32.EXE
AVPUPD.EXE
AVPTC32.EXE
AVPM.EXE
AVPDOS32.EXE
AVPCC.EXE
AVP32.EXE
AVP.EXE
AVNT.EXE
AVKSERV.EXE
AVGCTRL.EXE
AVE32.EXE
AVCONSOL.EXE
AUTODOWN.EXE
APVXDWIN.EXE
ANTI-TROJAN.EXE
ACKWIN32.EXE
_AVPM.EXE
_AVPCC.EXE
_AVP32.EXE

Agobot.p also terminates processes belonging to other malware:

tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
regloadr.exe
explore.exe
scvhosl.exe

Agobot.p tries to steal CD keys from the following games:

Half Life
Half Life: Counterstrike
Unreal Tournament 2003
The Gladiators
Need For Speed Hot Pursuit 2
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Battlefield 1942
Battlefield 1942: The Road to Rome
Battlefield 1942 Secret Weapons of WWII
Command & Conquer: Generals
Command & Conquer: Red Alert
Command & Conquer: Red Alert 2
Command & Conquer: Tiberian Sun
Project IGI 2
NOX
LoMaM
Neverwinter Nights
Soldier of Fortune II - Double Helix