Virus Update

[StRiDeR]

Troj/Webber-H

Aliases

TrojanDownloader.Win32.Small.hg, Trojan.Download.Berbew, Downloader-DI trojan, Downloader-DI!zip

Type

Trojan

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

Sophos has received several reports of this Trojan from the wild.

Note: Sophos has been detecting Troj/Webber-H since 06:54 GMT on 8th April. This IDE has been issued to enhance detection.


Description

Troj/Webber-H is a two component backdoor Trojan.
The downloader component of the Trojan appears to have been mass mailed out.

When run the Trojan downloads a remote file to C:\windows\usermade.exe and
executes it.

The downloaded component is a password stealing Trojan that attempts to extract sensitive information from several locations on the system and sends it to a remote computer.

The downloaded component copies itself as a file with a random name into the
Windows system folder and drops and executes a DLL file, also with a random
name, that runs the copy of the Trojan.

In order to be started automatically the Trojan creates the following registry entries:

HKLM\Software\CLASSES\CLSID\{79FB9088-19CE-715D-D900-216290C5B738}
\InProcServer32

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
\Web Event Logger

Troj/Webber-H also sets the following Microsoft Internet Explorer related registry entries to prompt the user into entering passwords:

HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest Passwords
HCU\Software\Microsoft\Internet Explorer\Main\FormSuggest PW Ask
HCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest


Recovery

Please follow the instructions for removing Trojans.

Change any data that may have become compomised.

[StRiDeR]

W32/Agobot-FZ

Aliases

Backdoor.Agobot.kt, W32/Gaobot.worm.gen.j

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

Sophos has received several reports of this worm from the wild.


Description

W32/Agobot-FZ is an IRC backdoor Trojan and network worm.
W32/Agobot-FZ is capable of spreading to computers on the local network protected by weak passwords.

When first run W32/Agobot-FZ copies itself to the Windows system folder as msdtc32.exe and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Video Device Loader = msdtc32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Video Device Loader = msdtcc32.exe

Each time W32/Agobot-FZ is run it attempts to connect to a remote IRC server and join a specific channel.

W32/Agobot-FZ then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

W32/Agobot-FZ attempts to terminate and disable various anti-virus and security-related programs.


Recovery

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Video Device Loader = msdtc32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Video Device Loader = msdtcc32.exe

and delete them if they exist.

Close the registry editor.

[StRiDeR]

Troj/LdPinch-L

Aliases

Trojan.PSW.LdPinch.ce, PWS-LDPinch, TROJ_LDPINCH.E

Type

Trojan

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.


Description

Troj/LdPinch-L is a password stealing Trojan. Upon execution it collects passwords from the computer and emails them to a remote address.
The Trojan moves itself to the Windows folder and sets the following registry entry to auto start:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SVCHOST
= <windows folder>\<Trojan name>

On Windows 2000 the Trojan will attempt to connect to a web page.

The Trojan also attempts to drop and load a helper DLL (ihook.dll) into the Windows folder which is detected as Troj/Klog-A.


Recovery

Please follow the instructions for removing Trojans.

[StRiDeR]

W32/Sdbot-HL

Aliases

Backdoor.IRCBot.gen, W32/Spybot.worm.gen.a, W32.Randex.gen, BKDR_IRCBOT.L

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description

W32/Sdbot-HL is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-HL spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to the file CSNT.EXE on the local machine at the same time.

W32/Sdbot-HL copies itself to the Windows system folder as CSRS.EXE and creates entries in the registry at the following locations to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Sdbot-HL tries to delete the following registry entries to prevent the associated programs from running on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pccclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pccguide.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pop3trap.exe

W32/Sdbot-HL sets the following registry entry in an attempt to disable the use of registry tools:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools = "1"


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

W32/Netsky-V

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description

W32/Netsky-V is a worm. When executed the worm will send emails containing an exploit which will attempt to download and execute a remote file.
W32/Netsky-V copies itself to the Windows folder as KasperskyAVEng.exe and adds the following registry entry so that it gets started on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAVEng = KasperskyAVEng.exe

The worm will listen on TCP ports 5557 and 5558.

A more detailed description will be published here shortly.


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

W32/Agobot-GG

Aliases

Backdoor.Agobot.gen, W32/Gaobot.worm.gen.e, Win32/Agobot.3.NZ, W32.HLLW.Gaobot.gen, WORM_AGOBOT.SB

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description

W32/Agobot-GG is an IRC backdoor Trojan and network worm.
W32/Agobot-GG is capable of spreading to computers on the local network protected by weak passwords.

When first run W32/Agobot-GG moves itself to the Windows system folder as systems.exe.

The worm may also add its pathname to the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

Each time W32/Agobot-GG is run it attempts to connect to a remote IRC server and join a specific channel.

W32/Agobot-GG then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

W32/Agobot-GG attempts to terminate selected anti-virus and security-related programs.


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

Troj/Loony-E

Aliases

Backdoor.SdBot.iw

Type

Trojan

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this Trojan from the wild.


Description

Troj/Loony-E is a backdoor Trojan that allows unauthorised access and control of the infected computer from a remote location via IRC channels.
Troj/Loony-E copies itself to the Windows system folder as SVSHOST.EXE and creates the following registry entry in order to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svshostdriver


Recovery

Please follow the instructions for removing Trojans.

[StRiDeR]

Troj/Badparty-A

Type

Trojan

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this Trojan from the wild.

Note: Sophos has updated this IDE to include the detection of a minor W32/Netsky-N variant.


Description

Troj/Badparty-A displays a message box containing the text 'Press OK to install the party invitation...'.
When the user clicks on OK the Trojan deletes the partition table in the master boot sector and the contents of the FAT. The Trojan then attempts to create a new partition table.

The Trojan creates the following files, which are all copies of legitimate utilities:
ginst0.dll in the Windows temp folder
int86_16.dll, int86_32.dll, playme.exe and party.ini in the Windows folder


Recovery

Please contact technical support.

[StRiDeR]

W32/Agobot-GP



Aliases

W32.HLLW.Gaobot.gen, W32/Gaobot.worm.gen.j

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description

W32/Agobot-GP is an IRC backdoor Trojan and network worm.
W32/Agobot-GP is capable of spreading to computers on the local network protected by weak passwords.

When first run W32/Agobot-GP copies itself to the Windows system folder as csrss32.exe and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Updater Service Process = csrss32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Updater Service Process = csrss32.exe

Each time W32/Agobot-GP is run it attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-GP then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

W32/Agobot-GP attempts to terminate and disable various anti-virus and security related programs.

W32/Agobot-GP modifies the hosts file on the infected computer in an attempt to resolve a number of security related websites to the localhost address.


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

W32/Sdbot-CP

Aliases

Backdoor.IRCBot.gen, W32/Spybot.worm.gen.a, Win32/IRCBot.DG, W32.Randex.gen, WORM_RBOT.G

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of this worm from the wild.


Description

W32/Sdbot-CP is an IRC backdoor Trojan and network worm.
W32/Sdbot-CP spreads to other computers on the local network protected by weak passwords.

When first run W32/Sdbot-CP copies itself to the Windows System folder as csrs32.exe and creates the following registry entries, so that csrs32.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System32-Driver = csrs32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System32-Driver = csrs32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
System32-Driver = csrs32.exe

The Trojan sets the following registry entry, in order to disable the use of certain system programs such as Regedit.exe:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
System\DisableRegistryTools = 1

Each time the Trojan runs it attempts to connect to a remote IRC server and join a specific channel. The Trojan then runs continuously in the background listening on the channel for commands to execute.

The Trojan attempts to terminate selected anti-virus and security-related programs.


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

W32/Zafi-A

Aliases

I-Worm.Kapes, Win32/Zafi.A

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

Sophos has received several reports of this worm from the wild.


Description

A detailed analysis of W32/Zafi-A will be published here shortly. Please check again later.

Recovery

Please follow the instructions for removing worms.

[StRiDeR]

W32/Blaster-G

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.


Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.

Sophos has received several reports of this worm from the wild.


Description

W32/Blaster-G is a worm that uses the internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service.
The worm will copy itself to the Windows system folder as eschlp.exe and create the file svchosthlp.exe in the same location.

W32/Blaster-G creates the following registry entries to ensure it is run at system logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Helper = <SYSTEM>\eschlp.exe /fstart
MSUpdate = <SYSTEM>\svchosthlp.exe
SPUpdate = <SYSTEM>\svchosthlp.exe

A more detailed description will be published here shortly.


Recovery

Please follow the instructions for removing worms.

[StRiDeR]

Troj/DDosSmal-B

Type

Trojan

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and is incorporated into the April 2004 (3.80) release of Sophos Anti-Virus.
At the time of writing, Sophos has received just one report of this Trojan from the wild.

Note: The IDE issued for Troj/DDosSmal-B on 11:51 GMT in 19 February also contained detection for W32/Netsky-A, W32/Nachi-C, W32/SdBot-FQ, W32/SdBot-HH, W32/SdBot-HI, W32/SdBot-HJ and JS/NoClose-B. This IDE has now been updated to enhance detection of W32/Nachi-C.


Description

Troj/DDosSmal-B is a Trojan which attempts a denial-of-service attack on a website.
Troj/DDosSmal-B repeatedly sends random TCP/IP packets to diana23.dyndns.org port 80 (HTTP). It does this for 10 minutes, then sets a timeout for 1 minute. After the timeout elapses, it goes back to the start (repeating the 10 minute flood).

In order to run automatically when Windows starts up the Trojan copies itself to the file winsys.exe in the Windows folder and adds the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsys


Recovery

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winsys

and delete it if it exists.

Close the registry editor.

[StRiDeR]

W32/Agobot-QF

Aliases

W32/Gaobot.worm.gen.e virus, W32.HLLW.Gaobot.gen, WORM_AGOBOT.QF

Type

Win32 worm

Detection

A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any
of the Sophos small business solutions will be automatically protected at their next scheduled update.


Sophos has received several reports of this worm from the wild.


Description

W32/Agobot-QF is an IRC backdoor Trojan and network worm which establishes

an IRC channel to a remote server in order to grant an intruder access to the compromised machine.


This worm will move itself into the Windows System32 folder under the filename EXPLORED.EXE and may create the following registry entries so that it can execute automatically on system restart:



HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

Windows Login = explored.exe



HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\

Windows Login = explored.exe



This worm will also attempt to glean email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.



W32/Agobot-QF will attempt to terminate anti-virus and software firewall processes, in addition to other viruses, worms or Trojans.



For example:



'_AVPM.EXE'

'_AVPCC.EXE'

'_AVP32.EXE'

'ZONEALARM.EXE'

'ZONALM2601.EXE'

'ZATUTOR.EXE'

'ZAPSETUP3001.EXE'

'ZAPRO.EXE'

'XPF202EN.EXE'

'WYVERNWORKSFIREWALL.EXE'

'WUPDT.EXE'

'WUPDATER.EXE'

'WSBGATE.EXE'

'WRCTRL.EXE'

'WRADMIN.EXE'

'WNT.EXE'

'WNAD.EXE'

'WKUFIND.EXE'

'WINUPDATE.EXE'

'WINTSK32.EXE'

'WINSTART001.EXE'

'WINSTART.EXE'

'WINSSK32.EXE'

'WINSERVN.EXE'

'WINRECON.EXE'

'WINPPR32.EXE'

'WINNET.EXE'

'WINMAIN.EXE'

'WINLOGIN.EXE'

'WININITX.EXE'

'WININIT.EXE'

'WININETD.EXE'

'WINDOWS.EXE'

'WINDOW.EXE'

'WINACTIVE.EXE'

'WIN32US.EXE'

'WIN32.EXE'

'WIN-BUGSFIX.EXE'

'WIMMUN32.EXE'

'WHOSWATCHINGME.EXE'

'WGFE95.EXE'

'WFINDV32.EXE'

'WEBTRAP.EXE'

'WEBSCANX.EXE'

'WEBDAV.EXE'

'WATCHDOG.EXE'

'W9X.EXE'

'W32DSM89.EXE'

'VSWINPERSE.EXE'

'VSWINNTSE.EXE'

'VSWIN9XE.EXE'

'VSSTAT.EXE'

'VSMON.EXE'

'VSMAIN.EXE'

'VSISETUP.EXE'

'VSHWIN32.EXE'

'VSECOMR.EXE'

'VSCHED.EXE'

'VSCENU6.02D30.EXE'

'VSCAN40.EXE'

'VPTRAY.EXE'

'VPFW30S.EXE'

'VPC42.EXE'

'VPC32.EXE'

'VNPC3000.EXE'

'VNLAN300.EXE'

'VIRUSMDPERSONALFIREWALL.EXE'

'VIR-HELP.EXE'

'VFSETUP.EXE'

'VETTRAY.EXE'

'VET95.EXE'

'VET32.EXE'

'VCSETUP.EXE'

'VBWINNTW.EXE'

'VBWIN9X.EXE'

'VBUST.EXE'

'VBCONS.EXE'

'VBCMSERV.EXE'

'UTPOST.EXE'

'UPGRAD.EXE'

'UPDAT.EXE'

'UNDOBOOT.EXE'

'TVTMD.EXE'

'TVMD.EXE'

'TSADBOT.EXE'

'TROJANTRAP3.EXE'

'TRJSETUP.EXE'

'TRJSCAN.EXE'

'TRICKLER.EXE'

'TRACERT.EXE'

'TITANINXP.EXE'

'TITANIN.EXE'

'TGBOB.EXE'

'TFAK5.EXE'

'TFAK.EXE'

'TEEKIDS.EXE'

'TDS2-NT.EXE'

'TDS2-98.EXE'

'TDS-3.EXE'

'TCM.EXE'

'TCA.EXE'

'TC.EXE'

'TBSCAN.EXE'

'TAUMON.EXE'

'TASKMON.EXE'

'TASKMO.EXE'

'TASKMG.EXE'

'SYSUPD.EXE'

'SYSTEM32.EXE'

'SYSTEM.EXE'

'SYSEDIT.EXE'

'SYMTRAY.EXE'

'SYMPROXYSVC.EXE'

'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE'

'SWEEP95.EXE'

'SVSHOST.EXE'

'SVCHOSTS.EXE'

'SVCHOSTC.EXE'

'SVC.EXE'

'SUPPORTER5.EXE'

'SUPPORT.EXE'

'SUPFTRL.EXE'

'STCLOADER.EXE'

'START.EXE'

'ST2.EXE'

'SSGRATE.EXE'

'SS3EDIT.EXE'

'SRNG.EXE'

'SREXE.EXE'

'SPYXX.EXE'

'SPOOLSV32.EXE'

'SPOOLCV.EXE'

'SPOLER.EXE'

'SPHINX.EXE'

'SPF.EXE'

'SPERM.EXE'

'SOFI.EXE'

'SOAP.EXE'

'SMSS32.EXE'

'SMS.EXE'

'SMC.EXE'

'SHOWBEHIND.EXE'

'SHN.EXE'

'UPDATE.EXE'

'SHELLSPYINSTALL.EXE'

'SH.EXE'

'SGSSFW32.EXE'

'SFC.EXE'

'SETUP_FLOWPROTECTOR_US.EXE'

'SETUPVAMEEVAL.EXE'

'SERVLCES.EXE'

'SERVLCE.EXE'

'SERVICE.EXE'

'SERV95.EXE'

'SD.EXE'

'SCVHOST.EXE'

'SCRSVR.EXE'

'SCRSCAN.EXE'

'SCANPM.EXE'

'SCAN95.EXE'

'SCAN32.EXE'

'SCAM32.EXE'

'SC.EXE'

'SBSERV.EXE'

'SAVENOW.EXE'

'SAVE.EXE'

'SAHAGENT.EXE'

'SAFEWEB.EXE'

'RUXDLL32.EXE'

'RUNDLL16.EXE'

'RUNDLL.EXE'

'RUN32DLL.EXE'

'RULAUNCH.EXE'

'RTVSCN95.EXE'

'RTVSCAN.EXE'

'RSHELL.EXE'

'RRGUARD.EXE'

'RESCUE32.EXE'

'RESCUE.EXE'

'REGEDT32.EXE'

'REGEDIT.EXE'

'REGED.EXE'

'REALMON.EXE'

'RCSYNC.EXE'

'RB32.EXE'

'RAY.EXE'

'RAV8WIN32ENG.EXE'

'RAV7WIN.EXE'

'RAV7.EXE'

'RAPAPP.EXE'

'QSERVER.EXE'

'QCONSOLE.EXE'

'PVIEW95.EXE'

'PUSSY.EXE'

'PURGE.EXE'

'PSPF.EXE'

'PROTECTX.EXE'

'PROPORT.EXE'

'PROGRAMAUDITOR.EXE'

'PROCEXPLORERV1.0.EXE'

'PROCESSMONITOR.EXE'

'PROCDUMP.EXE'

'PRMVR.EXE'

'PRMT.EXE'

'PRIZESURFER.EXE'

'PPVSTOP.EXE'

'PPTBC.EXE'

'PPINUPDT.EXE'

'POWERSCAN.EXE'

'PORTMONITOR.EXE'

'PORTDETECTIVE.EXE'

'POPSCAN.EXE'

'POPROXY.EXE'

'POP3TRAP.EXE'

'PLATIN.EXE'

'PINGSCAN.EXE'

'PGMONITR.EXE'

'PFWADMIN.EXE'

'PF2.EXE'

'PERSWF.EXE'

'PERSFW.EXE'

'PERISCOPE.EXE'

'PENIS.EXE'

'PDSETUP.EXE'

'PCSCAN.EXE'

'PCFWALLICON.EXE'

'PCDSETUP.EXE'

'PCCWIN98.EXE'

'PCCWIN97.EXE'

'PCCNTMON.EXE'

'PCCIOMON.EXE'

'PAVW.EXE'

'PAVSCHED.EXE'

'PAVPROXY.EXE'

'PAVCL.EXE'

'PATCH.EXE'

'PANIXK.EXE'

'PADMIN.EXE'

'OUTPOSTPROINSTALL.EXE'

'OUTPOSTINSTALL.EXE'

'OTFIX.EXE'

'OSTRONET.EXE'

'OPTIMIZE.EXE'

'ONSRVR.EXE'

'OLLYDBG.EXE'

'NWTOOL16.EXE'

'NWSERVICE.EXE'

'NWINST4.EXE'

'NVSVC32.EXE'

'NVC95.EXE'

'NVARCH16.EXE'

'NUI.EXE'

'NTXconfig.EXE'

'NTVDM.EXE'

'NTRTSCAN.EXE'

'NT.EXE'

'NSUPDATE.EXE'

'NSTASK32.EXE'

'NSSYS32.EXE'

'NSCHED32.EXE'

'NPSSVC.EXE'

'NPSCHECK.EXE'

'NPROTECT.EXE'

'NPFMESSENGER.EXE'

'NPF40_TW_98_NT_ME_2K.EXE'

'NOTSTART.EXE'

'NORTON_INTERNET_SECU_3.0_407.EXE'

'NORMIST.EXE'

'NOD32.EXE'

'NMAIN.EXE'

'NISUM.EXE'

'NISSERV.EXE'

'NETUTILS.EXE'

'NETSTAT.EXE'

'NETSPYHUNTER-1.2.EXE'

'NETSCANPRO.EXE'

'NETMON.EXE'

'NETINFO.EXE'

'NETD32.EXE'

'NETARMOR.EXE'

'NEOWATCHLOG.EXE'

'NEOMONITOR.EXE'

'NDD32.EXE'

'NCINST4.EXE'

'NAVWNT.EXE'

'NAVW32.EXE'

'NAVSTUB.EXE'

'NAVNT.EXE'

'NAVLU32.EXE'

'NAVENGNAVEX15.NAVLU32.EXE'

'NAVDX.EXE'

'NAVAPW32.EXE'

'NAVAPSVC.EXE'

'NAVAP.NAVAPSVC.EXE'

'AUTO-PROTECT.NAV80TRY.EXE'

'NAV.EXE'

'OUTPOST.EXE'

'NUPGRADE.EXE'

'N32SCANW.EXE'

'MWATCH.EXE'

'MU0311AD.EXE'

'MSVXD.EXE'

'MSSYS.EXE'

'MSSMMC32.EXE'

[StRiDeR]

'MSMSGRI32.EXE'

'MSMGT.EXE'

'MSLAUGH.EXE'

'MSINFO32.EXE'

'MSIEXEC16.EXE'

'MSDOS.EXE'

'MSDM.EXE'

'MSCONFIG.EXE'

'MSCMAN.EXE'

'MSCCN32.EXE'

'MSCACHE.EXE'

'MSBLAST.EXE'

'MSBB.EXE'

'MSAPP.EXE'

'MRFLUX.EXE'

'MPFTRAY.EXE'

'MPFSERVICE.EXE'

'MPFAGENT.EXE'

'MOSTAT.EXE'

'MOOLIVE.EXE'

'MONITOR.EXE'

'MMOD.EXE'

'MINILOG.EXE'

'MGUI.EXE'

'MGHTML.EXE'

'MGAVRTE.EXE'

'MGAVRTCL.EXE'

'MFWENG3.02D30.EXE'

'MFW2EN.EXE'

'MFIN32.EXE'

'MD.EXE'

'MCVSSHLD.EXE'

'MCVSRTE.EXE'

'MCTOOL.EXE'

'MCSHIELD.EXE'

'MCMNHDLR.EXE'

'MCAGENT.EXE'

'MAPISVC32.EXE'

'LUSPT.EXE'

'LUINIT.EXE'

'LUCOMSERVER.EXE'

'LUAU.EXE'

'LSETUP.EXE'

'LORDPE.EXE'

'LOOKOUT.EXE'

'LOCKDOWN2000.EXE'

'LOCKDOWN.EXE'

'LOCALNET.EXE'

'LOADER.EXE'

'LNETINFO.EXE'

'LDSCAN.EXE'

'LDPROMENU.EXE'

'LDPRO.EXE'

'LDNETMON.EXE'

'LAUNCHER.EXE'

'KILLPROCESSSETUP161.EXE'

'KERNEL32.EXE'

'KERIO-WRP-421-EN-WIN.EXE'

'KERIO-WRL-421-EN-WIN.EXE'

'KERIO-PF-213-EN-WIN.EXE'

'KEENVALUE.EXE'

'KAZZA.EXE'

'KAVPF.EXE'

'KAVPERS40ENG.EXE'

'KAVLITE40ENG.EXE'

'JEDI.EXE'

'JDBGMRG.EXE'

'JAMMER.EXE'

'ISTSVC.EXE'

'MCUPDATE.EXE'

'LUALL.EXE'

'ISRV95.EXE'

'ISASS.EXE'

'IRIS.EXE'

'IPARMOR.EXE'

'IOMON98.EXE'

'INTREN.EXE'

'INTDEL.EXE'

'INIT.EXE'

'INFWIN.EXE'

'INFUS.EXE'

'INETLNFO.EXE'

'IFW2000.EXE'

'IFACE.EXE'

'IEXPLORER.EXE'

'IEDRIVER.EXE'

'IEDLL.EXE'

'IDLE.EXE'

'ICSUPPNT.EXE'

'ICMON.EXE'

'ICLOADNT.EXE'

'ICLOAD95.EXE'

'IBMAVSP.EXE'

'IBMASN.EXE'

'IAMSTATS.EXE'

'IAMSERV.EXE'

'IAMAPP.EXE'

'HXIUL.EXE'

'HXDL.EXE'

'HWPE.EXE'

'HTPATCH.EXE'

'HTLOG.EXE'

'HOTPATCH.EXE'

'HOTACTIO.EXE'

'HBSRV.EXE'

'HBINST.EXE'

'HACKTRACERSETUP.EXE'

'GUARDDOG.EXE'

'GUARD.EXE'

'GMT.EXE'

'GENERICS.EXE'

'GBPOLL.EXE'

'GBMENU.EXE'

'GATOR.EXE'

'FSMB32.EXE'

'FSMA32.EXE'

'FSM32.EXE'

'FSGK32.EXE'

'FSAV95.EXE'

'FSAV530WTBYB.EXE'

'FSAV530STBYB.EXE'

'FSAV32.EXE'

'FSAV.EXE'

'FSAA.EXE'

'FRW.EXE'

'FPROT.EXE'

'FP-WIN_TRIAL.EXE'

'FP-WIN.EXE'

'FNRB32.EXE'

'FLOWPROTECTOR.EXE'

'FIREWALL.EXE'

'FINDVIRU.EXE'

'FIH32.EXE'

'FCH32.EXE'

'FAST.EXE'

'FAMEH32.EXE'

'F-STOPW.EXE'

'F-PROT95.EXE'

'F-PROT.EXE'

'F-AGNT95.EXE'

'EXPLORE.EXE'

'EXPERT.EXE'

'EXE.AVXW.EXE'

'EXANTIVIRUS-CNET.EXE'

'EVPN.EXE'

'ETRUSTCIPE.EXE'

'ETHEREAL.EXE'

'ESPWATCH.EXE'

'ESCANV95.EXE'

'ICSUPP95.EXE'

'ESCANHNT.EXE'

'ESCANH95.EXE'

'ESAFE.EXE'

'ENT.EXE'

'EMSW.EXE'

'EFPEADM.EXE'

'ECENGINE.EXE'

'DVP95_0.EXE'

'DVP95.EXE'

'DSSAGENT.EXE'

'DRWEBUPW.EXE'

'DRWEB32.EXE'

'DRWATSON.EXE'

'DPPS2.EXE'

'DPFSETUP.EXE'

'DPF.EXE'

'DOORS.EXE'

'DLLREG.EXE'

'DLLCACHE.EXE'

'DIVX.EXE'

'DEPUTY.EXE'

'DEFWATCH.EXE'

'DEFSCANGUI.EXE'

'DEFALERT.EXE'

'DCOMX.EXE'

'DATEMANAGER.EXE'

'Claw95.EXE'

'CWNTDWMO.EXE'

'CWNB181.EXE'

'CV.EXE'

'CTRL.EXE'

'CPFNT206.EXE'

'CPF9X206.EXE'

'CPD.EXE'

'CONNECTIONMONITOR.EXE'

'CMON016.EXE'

'CMGRDIAN.EXE'

'CMESYS.EXE'

'CMD32.EXE'

'CLICK.EXE'

'CLEANPC.EXE'

'CLEANER3.EXE'

'CLEANER.EXE'

'CLEAN.EXE'

'CFINET32.EXE'

'CFINET.EXE'

'CFIADMIN.EXE'

'CFGWIZ.EXE'

'CFD.EXE'

'CDP.EXE'

'CCPXYSVC.EXE'

'CCEVTMGR.EXE'

'CCAPP.EXE'

'BVT.EXE'

'BUNDLE.EXE'

'BS120.EXE'

'BRASIL.EXE'

'BPC.EXE'

'BORG2.EXE'

'BOOTWARN.EXE'

'BOOTCONF.EXE'

'BLSS.EXE'

'BLACKICE.EXE'

'BLACKD.EXE'

'BISP.EXE'

'BIPCPEVALSETUP.EXE'

'BIPCP.EXE'

'BIDSERVER.EXE'

'BIDEF.EXE'

'BELT.EXE'

'BEAGLE.EXE'

'BD_PROFESSIONAL.EXE'

'BARGAINS.EXE'

'BACKWEB.EXE'

'CLAW95CF.EXE'

'CFIAUDIT.EXE'

'AVXMONITORNT.EXE'

'AVXMONITOR9X.EXE'

'AVWUPSRV.EXE'

'AVWUPD.EXE'

'AVWINNT.EXE'

'AVWIN95.EXE'

'AVSYNMGR.EXE'

'AVSCHED32.EXE'

'AVPTC32.EXE'

'AVPM.EXE'

'AVPDOS32.EXE'

'AVPCC.EXE'

'AVP32.EXE'

'AVP.EXE'

'AVNT.EXE'

'AVLTMAIN.EXE'

'AVKWCTl9.EXE'

'AVKSERVICE.EXE'

'AVKSERV.EXE'

'AVKPOP.EXE'

'AVGW.EXE'

'AVGUARD.EXE'

'AVGSERV9.EXE'

'AVGSERV.EXE'

'AVGNT.EXE'

'AVGCTRL.EXE'

'AVGCC32.EXE'

'AVE32.EXE'

'AVCONSOL.EXE'

'AU.EXE'

'ATWATCH.EXE'

'ATRO55EN.EXE'

'ATGUARD.EXE'

'ATCON.EXE'

'ARR.EXE'

'APVXDWIN.EXE'

'APLICA32.EXE'

'APIMONITOR.EXE'

'ANTS.EXE'

'ANTIVIRUS.EXE'

'ANTI-TROJAN.EXE'

'AMON9X.EXE'

'ALOGSERV.EXE'

'ALEVIR.EXE'

'ALERTSVC.EXE'

'AGENTW.EXE'

'AGENTSVR.EXE'

'ADVXDWIN.EXE'

'ADAWARE.EXE'

'AVXQUAR.EXE'

'ACKWIN32.EXE'

'AVWUPD32.EXE'

'AVPUPD.EXE'

'AUTOUPDATE.EXE'

'AUTOTRACE.EXE'

'AUTODOWN.EXE'

'AUPDATE.EXE'

'ATUPDATER.EXE'



This worm will search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS may also be dropped into

C:\<Windows System32>\drivers\etc which may contain a list of anti-virus

and other security related websites each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.



For example:



127.0.0.1 www.symantec.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 symantec.com

127.0.0.1 www.sophos.com

127.0.0.1 sophos.com

127.0.0.1 www.mcafee.com

127.0.0.1 mcafee.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 www.viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 f-secure.com

127.0.0.1 www.f-secure.com

127.0.0.1 kaspersky.com

127.0.0.1 www.avp.com

127.0.0.1 www.kaspersky.com

127.0.0.1 avp.com

127.0.0.1 www.networkassociates.com

127.0.0.1 networkassociates.com

127.0.0.1 www.ca.com

127.0.0.1 ca.com

127.0.0.1 mast.mcafee.com

127.0.0.1 my-etrust.com

127.0.0.1 www.my-etrust.com

127.0.0.1 download.mcafee.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 secure.nai.com

127.0.0.1 nai.com

127.0.0.1 www.nai.com

127.0.0.1 update.symantec.com

127.0.0.1 updates.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 customer.symantec.com

127.0.0.1 rads.mcafee.com

127.0.0.1 trendmicro.com

127.0.0.1 www.trendmicro.com



W32/Agobot-QF can sniff HTTP, ICMP, FTP, VULN and IRC network traffic and steal data from them.



The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys:



Remote Procedure Call (RPC) vulnerability



Distributed Component Object Model (DCOM) vulnerability



RPC Locator vulnerability



IIS5/WEBDAV Buffer Overflow vulnerability



For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:



Microsoft Security Bulletin MS03-001

Microsoft Security Bulletin MS03-007

Microsoft Security Bulletin MS03-026



W32/Agobot-QF can also polymorph on installation in order to evade detection and share/delete the admin$, ipc$ etc drives.



It can also test the available bandwidth by attempting to GET or POST data to the following websites:



'yahoo.co.jp'

'www.nifty.com'

'www.d1asia.com'

'www.st.lib.keio.ac.jp'

'www.lib.nthu.edu.tw'

'www.above.net'

'www.level3.com'

'nitro.ucsc.edu'

'www.burst.net'

'www.cogentco.com'

'www.rit.edu'

'www.nocster.com'

'www.verio.com'

'www.stanford.edu'

'www.xo.net'

'de.yahoo.com'

'www.belwue.de'

'www.switch.ch'

'www.1und1.de'

'verio.fr'

'www.utwente.nl'

'www.schlund.net'



W32/Agobot-QF can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood/httpflood/fraggle/smurf etc attacks against

remote systems.



This worm can steal the Windows Product ID and keys from several computer applications or games including:



AOL Instant Messenger

Battlefield 1942

Battlefield 1942: Secret Weapons Of WWII

Battlefield 1942: The Road To Rome

Battlefield 1942: Vietnam

Black and White

Call of Duty

Command and Conquer: Generals

Command and Conquer: Generals: Zero Hour

Command and Conquer: Red Alert2

Command and Conquer: Tiberian Sun

Counter-Strike

FIFA 2002

FIFA 2003

Freedom Force

Global Operations

Gunman Chronicles

Half-Life

Hidden and Dangerous 2

Industry Giant 2

IGI2: Covert Strike

James Bond 007: Nightfire

Medal of Honor: Allied Assault

Medal of Honor: Allied Assault: Breakthrough

Medal of Honor: Allied Assault: Spearhead

Nascar Racing 2002

Nascar Racing 2003

NHL 2002

NHL 2003

Need For Speed: Hot Pursuit 2

Need For Speed: Underground

Neverwinter Nights

Ravenshield

Shogun Total War - Warlord Edition

Soldiers Of Anarchy

Soldier of Fortune II - Double Helix

The Gladiators

Unreal Tournament 2003

Unreal Tournament 2004

Windows Messenger



W32/Agobot-QF will delete all files named 'sound*.*' and the resident process will be very difficult to terminate.


Recovery

Please follow the instructions for removing worms.