F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Agobot.P

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Agobot.P
ALIAS:Backdoor.Agobot.3.p, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot

Summary

The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of previous Agobot variant can be found here:

http://www.europe.f-secure.com/v-descs/agobot_f.shtml

The generic description of Agobot can be found here:

http://www.europe.f-secure.com/v-descs/agobot.shtml

Disinfection

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.

Back to the Top


Detailed Description

There are some differences in this backdoor variant comparing to previous variants:

The Agobot.p backdoor copies itself as LSAS.EXE and WINHLPP32.EXE files to an infected system.

When spreading to local network, Agobot.p probes the following shares: 

 c$
 d$
 e$
 print$
 admin$

Agobot.p tries to connect using the following account names: 

 Administrator
 admin
 administrator
 Administrateur
 Default
 mgmt
 Standard
 User
 Administrador
 Owner
 Test
 Guest
 Gast
 Inviter
 a
 aaa
 abc
 x
 xyz
 Dell
 home
 pc
 test
 temp
 win
 asdf
 qwer
 login

When connecting, Agobot.p uses the following passwords: 

 admin
 Admin
 password
 Password
 1
 12
 123
 1234
 12345
 123456
 1234567
 12345678
 123456789
 654321
 54321
 111
 000000
 00000000
 11111111
 88888888
 pass
 passwd
 database
 abcd
 oracle
 sybase
 123qwe
 server
 computer
 Internet
 super
 123asd
 ihavenopass
 godblessyou
 enable
 xp
 2002
 2003
 2600
 0
 110
 111111
 121212
 123123
 1234qwer
 123abc
 007
 alpha
 patrick
 pat
 administrator
 root
 sex
 god
 foobar
 a
 aaa
 abc
 test
 temp
 win
 pc
 asdf
 secret
 qwer
 yxcv
 zxcv
 home
 xxx
 owner
 login
 Login
 pwd
 pass
 love
 mypc
 mypass
 pw

Agobot.p tries to kill the following processes: 

 ZONEALARM.EXE
 WFINDV32.EXE
 WEBSCANX.EXE
 VSSTAT.EXE
 VSHWIN32.EXE
 VSECOMR.EXE
 VSCAN40.EXE
 VETTRAY.EXE
 VET95.EXE
 TDS2-NT.EXE
 TDS2-98.EXE
 TCA.EXE
 TBSCAN.EXE
 SWEEP95.EXE
 SPHINX.EXE
 SMC.EXE
 SERV95.EXE
 SCRSCAN.EXE
 SCANPM.EXE
 SCAN95.EXE
 SCAN32.EXE
 SAFEWEB.EXE
 RESCUE.EXE
 RAV7WIN.EXE
 RAV7.EXE
 PERSFW.EXE
 PCFWALLICON.EXE
 PCCWIN98.EXE
 PAVW.EXE
 PAVSCHED.EXE
 PAVCL.EXE
 PADMIN.EXE
 OUTPOST.EXE
 NVC95.EXE
 NUPGRADE.EXE
 NORMIST.EXE
 NMAIN.EXE
 NISUM.EXE
 NAVWNT.EXE
 NAVW32.EXE
 NAVNT.EXE
 NAVLU32.EXE
 NAVAPW32.EXE
 N32SCANW.EXE
 MPFTRAY.EXE
 MOOLIVE.EXE
 LUALL.EXE
 LOOKOUT.EXE
 LOCKDOWN2000.EXE
 JEDI.EXE
 IOMON98.EXE
 IFACE.EXE
 ICSUPPNT.EXE
 ICSUPP95.EXE
 ICMON.EXE
 ICLOADNT.EXE
 ICLOAD95.EXE
 IBMAVSP.EXE
 IBMASN.EXE
 IAMSERV.EXE
 IAMAPP.EXE
 FRW.EXE
 FPROT.EXE
 FP-WIN.EXE
 FINDVIRU.EXE
 F-STOPW.EXE
 F-PROT95.EXE
 F-PROT.EXE
 F-AGNT95.EXE
 ESPWATCH.EXE
 ESAFE.EXE
 ECENGINE.EXE
 DVP95_0.EXE
 DVP95.EXE
 CLEANER3.EXE
 CLEANER.EXE
 CLAW95CF.EXE
 CLAW95.EXE
 CFINET32.EXE
 CFINET.EXE
 CFIAUDIT.EXE
 CFIADMIN.EXE
 BLACKICE.EXE
 BLACKD.EXE
 AVWUPD32.EXE
 AVWIN95.EXE
 AVSCHED32.EXE
 AVPUPD.EXE
 AVPTC32.EXE
 AVPM.EXE
 AVPDOS32.EXE
 AVPCC.EXE
 AVP32.EXE
 AVP.EXE
 AVNT.EXE
 AVKSERV.EXE
 AVGCTRL.EXE
 AVE32.EXE
 AVCONSOL.EXE
 AUTODOWN.EXE
 APVXDWIN.EXE
 ANTI-TROJAN.EXE
 ACKWIN32.EXE
 _AVPM.EXE
 _AVPCC.EXE
 _AVP32.EXE

Agobot.p also terminates processes belonging to other malware: 

 tftpd.exe
 dllhost.exe
 winppr32.exe
 mspatch.exe
 penis32.exe
 msblast.exe
 regloadr.exe
 explore.exe
 scvhosl.exe

Agobot.p tries to steal CD keys from the following games: 

 Half Life
 Half Life: Counterstrike
 Unreal Tournament 2003
 The Gladiators
 Need For Speed Hot Pursuit 2
 FIFA 2002
 FIFA 2003
 NHL 2002
 NHL 2003
 Nascar Racing 2002
 Nascar Racing 2003
 Battlefield 1942
 Battlefield 1942: The Road to Rome
 Battlefield 1942 Secret Weapons of WWII
 Command & Conquer: Generals
 Command & Conquer: Red Alert
 Command & Conquer: Red Alert 2
 Command & Conquer: Tiberian Sun
 Project IGI 2
 NOX
 LoMaM
 Neverwinter Nights
 Soldier of Fortune II - Double Helix

Back to the Top


Detection

Detection for Agobot.p variant was published on 14th of October, 2003 in update:

[FSAV_Database_Version]

Version=2003-10-14_01

Back to the Top


Technical Details: Alexey Podrezov; October 17th, 2003;

Description Updated: Alexey Podrezov, November 26th, 2003;

F-Secure Corporation