The Web    Google
6/4: Agobot.300544 a Memory Resident

6/4: Agobot.300544 a Memory Resident
June 4, 2004

Worm/Agobot.300544 is a memory resident Internet worm that spreads by capitalizing on various Microsoft vulnerabilities, as well as through network shares. If executed, the worm copies itself in the \windows\%system% directory under the filename "asp-srvc.exe" and in C:\WINNT\System32\drivers\etc\hosts.

So that it gets run each time a user restart their computer the following registry keys get added:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "asp-srvc"="asp-srvc.exe"

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "asp-srvc"="asp-srvc.exe"

Certain keys are also get added. View them and other information at Central Command page.

  • 6/3: Agobot-SU Controlled by IRC Bot
  • 1/26: Patco-A Worm Replaces Doc Files
  • 1/4: Sdbot-AI Worm/Trojan Lets Hackers In
  • New Worm Throws 'Smackdown' on Users
  • 3/7: Forbot-ER Worm Contains Backdoor Functions
  • 6/9: Rbot.AF Uses NetBEUI Functions
  • House Renews Anti-Spyware Push
  • Phishing Scams Increase 1,200% in 6 Months
  • New nCipher Product Targets Online Payment Card Fraud
  • 4/5: Mytob-Y Worm Copies Itself to Email
  • Sender ID: Phishing Solution or Another Problem?
  • Security Camera News