The Web    Google
6/3: Agobot-SU Controlled by IRC Bot

6/3: Agobot-SU Controlled by IRC Bot
June 3, 2004

Worm_Agobot.SU is a memory-resident worm that spreads through network shares. It uses NetBEUI functions to get any available lists of user names and passwords. It then searches for shared folders and drops a copy of itself by using the gathered list.

Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
  • RPC Locator Vulnerability
  • IIS5/WEBDAV Buffer Overflow Vulnerability

    For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

  • Microsoft Security Bulletin MS03-026
  • Microsoft Security Bulletin MS03-001
  • Microsoft Security Bulletin MS03-007

    It drops itself as ASP-SRVC.EXE in the Windows system folder and attempts to log on to systems using another list of user names and passwords aside from the obtained list. It opens a varied port and has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot, which is capable of sending several malicious commands to be processed on a system. The said commands are basically categorized as bot, command manager, Cvar, IRC, redirect, and download commands. It also terminates antivirus-related programs and steals CD keys, serial numbers, and application product IDs of certain game applications.

    It modifies the HOSTS file to prevent an affected user from accessing several antivirus and security Web sites.

    This malware is compressed using Morphine and runs on Windows 95, 98, ME, NT, 2000, and XP.

    Technical details are at Trend Micro page.

  • Do-Not-Spam List Great For Spammers
  • Secure Messaging Vendor Offers Management Appliance
  • Too Many Lost Emails Leave us Unconnected
  • Central Command Unveils Linux Antivirus Software
  • Searching for Wi-Fi Security Solutions
  • Disaster Recovery Vs. Business Continuity
  • Virus Update: Lovgate Worm Still Out
  • 11/16: Agobot-NX an IRC Trojan & Worm
  • 'Land' Bug Back to Bedevil Microsoft Servers
  • 1/10: Gaobot.CKP Worm Lets Hackers In
  • 3/8: Kelvir-D an IM Worm
  • Computer security background information