The Web    Google
6/3: Agobot-SU Controlled by IRC Bot

6/3: Agobot-SU Controlled by IRC Bot
June 3, 2004

Worm_Agobot.SU is a memory-resident worm that spreads through network shares. It uses NetBEUI functions to get any available lists of user names and passwords. It then searches for shared folders and drops a copy of itself by using the gathered list.

Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
  • RPC Locator Vulnerability
  • IIS5/WEBDAV Buffer Overflow Vulnerability

    For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

  • Microsoft Security Bulletin MS03-026
  • Microsoft Security Bulletin MS03-001
  • Microsoft Security Bulletin MS03-007

    It drops itself as ASP-SRVC.EXE in the Windows system folder and attempts to log on to systems using another list of user names and passwords aside from the obtained list. It opens a varied port and has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot, which is capable of sending several malicious commands to be processed on a system. The said commands are basically categorized as bot, command manager, Cvar, IRC, redirect, and download commands. It also terminates antivirus-related programs and steals CD keys, serial numbers, and application product IDs of certain game applications.

    It modifies the HOSTS file to prevent an affected user from accessing several antivirus and security Web sites.

    This malware is compressed using Morphine and runs on Windows 95, 98, ME, NT, 2000, and XP.

    Technical details are at Trend Micro page.

  • IT Budget Woes Hampering Real-Time Responsiveness
  • Senate Debating Data Privacy Changes
  • 2/25: Looked-C Worm Downloads File
  • Secure Your Network Against Viruses, Spam
  • 4/15: Trojan.Esteems Steals Private Info
  • 9/8: Rbot-IL Spreads To Remote Shares
  • 11/29: QLowZones-2 Modifies IE Settings
  • 7/19: Rbot-DX Spreads to Remote Shares
  • 9/24: Adware-LesToolbar an Adware Program
  • Corporate Data Leaks Spur Interest in Storage Security
  • 1/31: Unfunner-A Worm Moves Via MSN Messenger
  • Computer security background information