6/3: Agobot-SU Controlled by IRC Bot

6/3: Agobot-SU Controlled by IRC Bot
June 3, 2004

Worm_Agobot.SU is a memory-resident worm that spreads through network shares. It uses NetBEUI functions to get any available lists of user names and passwords. It then searches for shared folders and drops a copy of itself by using the gathered list.

Like the earlier AGOBOT variants, it takes advantage of the following Windows vulnerabilities:

Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability

RPC Locator Vulnerability

IIS5/WEBDAV Buffer Overflow Vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-026

Microsoft Security Bulletin MS03-001

Microsoft Security Bulletin MS03-007

It drops itself as ASP-SRVC.EXE in the Windows system folder and attempts to log on to systems using another list of user names and passwords aside from the obtained list. It opens a varied port and has backdoor capabilities. It acts as a server program controlled by an Internet Relay Chat (IRC) bot, which is capable of sending several malicious commands to be processed on a system. The said commands are basically categorized as bot, command manager, Cvar, IRC, redirect, and download commands. It also terminates antivirus-related programs and steals CD keys, serial numbers, and application product IDs of certain game applications.

It modifies the HOSTS file to prevent an affected user from accessing several antivirus and security Web sites.

This malware is compressed using Morphine and runs on Windows 95, 98, ME, NT, 2000, and XP.

Technical details are at Trend Micro page.