Threat Description

Agobot.P

Details

Aliases: Agobot.P, Backdoor.Agobot.3.p, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot
Category: Malware
Type:
Platform: W32

Summary


The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of previous Agobot variant can be found here:

http://www.europe.f-secure.com/v-descs/agobot_f.shtml

The generic description of Agobot can be found here:

http://www.europe.f-secure.com/v-descs/agobot.shtml



Removal


The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.



Technical Details


There are some differences in this backdoor variant comparing to previous variants:

The Agobot.p backdoor copies itself as LSAS.EXE and WINHLPP32.EXE files to an infected system.

When spreading to local network, Agobot.p probes the following shares:

c$  d$  e$  print$  admin$      

Agobot.p tries to connect using the following account names:

Administrator  admin  administrator  Administrateur  Default  mgmt  Standard  User  Administrador  Owner  Test  Guest  Gast  Inviter  a  aaa  abc  x  xyz  Dell  home  pc  test  temp  win  asdf  qwer  login      

When connecting, Agobot.p uses the following passwords:

admin  Admin  password  Password  1  12  123  1234  12345  123456  1234567  12345678  123456789  654321  54321  111  000000  00000000  11111111  88888888  pass  passwd  database  abcd  oracle  sybase  123qwe  server  computer  Internet  super  123asd  ihavenopass  godblessyou  enable  xp  2002  2003  2600  0  110  111111  121212  123123  1234qwer  123abc  007  alpha  patrick  pat  administrator  root  sex  god  foobar  a  aaa  abc  test  temp  win  pc  asdf  secret  qwer  yxcv  zxcv  home  xxx  owner  login  Login  pwd  pass  love  mypc  mypass  pw  

Agobot.p tries to kill the following processes:

ZONEALARM.EXE  WFINDV32.EXE  WEBSCANX.EXE  VSSTAT.EXE  VSHWIN32.EXE  VSECOMR.EXE  VSCAN40.EXE  VETTRAY.EXE  VET95.EXE  TDS2-NT.EXE  TDS2-98.EXE  TCA.EXE  TBSCAN.EXE  SWEEP95.EXE  SPHINX.EXE  SMC.EXE  SERV95.EXE  SCRSCAN.EXE  SCANPM.EXE  SCAN95.EXE  SCAN32.EXE  SAFEWEB.EXE  RESCUE.EXE  RAV7WIN.EXE  RAV7.EXE  PERSFW.EXE  PCFWALLICON.EXE  PCCWIN98.EXE  PAVW.EXE  PAVSCHED.EXE  PAVCL.EXE  PADMIN.EXE  OUTPOST.EXE  NVC95.EXE  NUPGRADE.EXE  NORMIST.EXE  NMAIN.EXE  NISUM.EXE  NAVWNT.EXE  NAVW32.EXE  NAVNT.EXE  NAVLU32.EXE  NAVAPW32.EXE  N32SCANW.EXE  MPFTRAY.EXE  MOOLIVE.EXE  LUALL.EXE  LOOKOUT.EXE  LOCKDOWN2000.EXE  JEDI.EXE  IOMON98.EXE  IFACE.EXE  ICSUPPNT.EXE  ICSUPP95.EXE  ICMON.EXE  ICLOADNT.EXE  ICLOAD95.EXE  IBMAVSP.EXE  IBMASN.EXE  IAMSERV.EXE  IAMAPP.EXE  FRW.EXE  FPROT.EXE  FP-WIN.EXE  FINDVIRU.EXE  F-STOPW.EXE  F-PROT95.EXE  F-PROT.EXE  F-AGNT95.EXE  ESPWATCH.EXE  ESAFE.EXE  ECENGINE.EXE  DVP95_0.EXE  DVP95.EXE  CLEANER3.EXE  CLEANER.EXE  CLAW95CF.EXE  CLAW95.EXE  CFINET32.EXE  CFINET.EXE  CFIAUDIT.EXE  CFIADMIN.EXE  BLACKICE.EXE  BLACKD.EXE  AVWUPD32.EXE  AVWIN95.EXE  AVSCHED32.EXE  AVPUPD.EXE  AVPTC32.EXE  AVPM.EXE  AVPDOS32.EXE  AVPCC.EXE  AVP32.EXE  AVP.EXE  AVNT.EXE  AVKSERV.EXE  AVGCTRL.EXE  AVE32.EXE  AVCONSOL.EXE  AUTODOWN.EXE  APVXDWIN.EXE  ANTI-TROJAN.EXE  ACKWIN32.EXE  _AVPM.EXE  _AVPCC.EXE  _AVP32.EXE    

Agobot.p also terminates processes belonging to other malware:

tftpd.exe  dllhost.exe  winppr32.exe  mspatch.exe  penis32.exe  msblast.exe  regloadr.exe  explore.exe  scvhosl.exe    

Agobot.p tries to steal CD keys from the following games:

Half Life  Half Life: Counterstrike  Unreal Tournament 2003  The Gladiators  Need For Speed Hot Pursuit 2  FIFA 2002  FIFA 2003  NHL 2002  NHL 2003  Nascar Racing 2002  Nascar Racing 2003  Battlefield 1942  Battlefield 1942: The Road to Rome  Battlefield 1942 Secret Weapons of WWII  Command & Conquer: Generals  Command & Conquer: Red Alert  Command & Conquer: Red Alert 2  Command & Conquer: Tiberian Sun  Project IGI 2  NOX  LoMaM  Neverwinter Nights  Soldier of Fortune II - Double Helix  


Detection


Detection for Agobot.p variant was published on 14th of October, 2003 in update:

Detection Type: PC
Database: 2003-10-14_01



Technical Details:Alexey Podrezov; October 17th, 2003
Description Last Modified: Alexey Podrezov, November 26th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More