Win32.Agobot.C, virus/worm
Alias: Backdoor.Socksbot (Symantec),
W32/Gaobot.worm.gen (McAfee),
Win32/Agobot.C.Dropper,
Win32/Agobot.P2P.Worm,
Worm.P2P.Agobot.c (Kaspersky)
Published Date: 4/7/2003
Last Modified: 5/7/2003
Analysis by Myles Jordan
CHARACTERISTICS
Win32.Agobot.C is an IRC controlled backdoor that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm like functionality by offering itself as a download in either the KaZaA or iMesh p2p file sharing network.
When run, it makes a hidden copy of itself in the %Windows%\%system% directory with the filename svhost.exe. It then adds the value "Svhost Loader" to the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm is run every time the computer starts.
Win32.Agobot.C then attempts to connect to a pre-defined IRC server and join a specific channel so that the victim's computer can be controlled.
Once the victim's computer is under control, the hacker is able to instruct Win32.Agobot.C to attempt to perform malicious operations such as
- Downloading files
- Updating itself via the web
- Launching DDoS (Denial Of Service) attacks
- Sending the CD keys for the following recent games out from the local host:
Warcraft III
Soldier of Fortune II
Neverwinter Nights
Unreal Tournament
Half-Life
Win32.Agobot.C attempts to enable file sharing on machines running KaZaA and iMesh. It makes copies of itself using potentially enticing filenames created by substituting one of the names of the following games:
Hoyle Card Games 2003
Us Open 2002
Hyper Rails
HOYLE PUZZLE GAMES 2003
Puzzles battles of the history
Snow Drop
Emperor Rise of the Middle Kingdom
Reel Deal Slots Volume II
AFL Live 2003
Squad Battles Eagles Strike
Earth 2150 Lost Souls
Midnight Outlaw Street Racing
Deep Fritz 7
Virtual Resort Spring Break
Divine Divinity
Zelenhgorm The Great Ship
Kango Shicyauzo
Action Man Destruction X
Blue's Clues Preschool
Jurassic Park Dinosaur Battles
Maximum G-Force Coasters
Empire Earth Art of Qonquest
Ultimate Pinball
Frontline Attack War over Europe
Bandits - Phoenix Rising
Taz Wanted
Pro Soccer Cup 2002
Jeopardy! 2003
Prisoner Of War
Links 2003
Total Club Manager 2003
Sniper Path of Vengeance
Links 2003 Championship Courses
Law and Order Dead on the Money
Ultimate Ride Disney Coaster
Dogs Playing Poker
The Sims Unleashed
Stronghold Crusader
Virtual Skipper 2
Combat Mission 2
Iron Storm Action
Exodus Action
X-Plane
Project Nomads
Bongo Boogie
NHL 2003
ParaShooter
Emperor
Virtual Sailor
Battlefield 1942
Kickoff 2002
Brixout XP
Star Wraith 3
Madden NFL 2003
BANDITS Phoenix Rising
Pox Puzzle
Starshatter v3
Virtual Resort
Conflict Desert Storm
Delta Force Black Hawk Down
Unreal Tournament 2003
Scarlet Waves
Halloween
No One Lives Forever 2
World War II
Iron Storm
The Gates
Asswipe
Fartknocker
High Grow
Ganja Farmer 2
Duke Nukem Forever
Jedi Knight 2
RTCW
Quake 3
Quake 2
Quake 1
Shattered Galaxy
Diablo 2
Diablo
Starcraft
Warcraft
Warcraft 2
Warcraft 3
NOLF2
UT2003
into one of the following strings in place of :
crack (all versions)
newest version crack
3D Setup
- Cable Modem Playfix
- ADSL Playfix
- Unlock Everything Trainer
- Crack all versions
- Internet Play Fix
- NOCD Patch
- Tweaking utility
- Autotuning (for Newbies)
- CD Key Generator
- Newest Patch
- Character Cheat
- Map Hack
- Idem Duplicator
- Item Hack
- Multiplayer Cheat
- Unlimited Healt Trainer
- Game Trainer
or by substituting one of the following names:
Kylie Minogue
Shakira
Christina Aguilera
Britney Spears
Michelle Behennah
Kate Moss
Helena Christensen
Emma Sjoberg
Stacey Keibler
Karina Lombard
Kylie Bax
Cameron Diaz
Lexa Doig
Belinda Chapple
Alessandra Ambrosia
Kirsten Dunst
Halle Berry
Salma Hayek
Charlize Theron
Katie Price
Pamela Anderson
Donna D'Erico
Ashley Judd
Carmen Electra
Jessica Alba
Amanda Peet
Sandra Bullock
Gillian Anderson
Anna Kournikova
Samantha Mumba
Chandra North
Kelly Hu
Jolene Blalock
into one of the following strings, in place of :
(some names censored for indecency)
Watch s*cking and f*cking - XXX
oh my, horny - XXX
is very horny atm - XXX
Instant access to -picture download - XXX
's webcam - cracked access - no cost - XXX
's webcam - view livecast - XXX
in bed with some guy - XXX
giving VERY good bl*wjob XXX
getting it on with Usama Bin Laden - XXX
getting it on with George W. Bush - XXX
Big Boobs Part II XXX -
Spreading Wide XXX -
Huge Tits XXX -
Big Tits XXX -
buttf*ckin - XXX
c*m all over - XXX
lesbian love - XXX
h4x 's c0mput3r 4nd s3nd h3r 3m41l - mus7 d0wnl04d - 1337 h4x0r - XXX
, very good pic (must download) - XXX
getting on with it! - XXX
s*cking d*ck - XXX
spreading VERY wide!! - XXX
Free celeb pics xxx playboy f*ck port huge boobs nude hardcore - XXX
Pictures of - hot pics! - XXX
Sexy nude pics xxx playboy porn pics
Anal Sex - - XXX
doing hardcore xxx
nude f*cking hardcore xxx huge boobs
Hardcore XXX -
Celebrity XXX -
Any name constructed from the above lists is appended by an .exe extension.
|
COMMENT
Computer WORMS complicate the security situation.
Unlike viruses they may enter your computer while you are hooked up to the Internet without any connection to e-mail messages or e-mail use. Residing on your computer, if not detected by an excellent and up-to-date antivirus program, they will then become activated by any of a great number of triggers. Perhaps when you next turn on your machine or reboot it. Perhaps according to a particular date. Perhaps when you start MSIE (Microsoft Internet Explorer), or some other program. They may then make your machine make noises, attach themselves to files on your computer already, attach to and assume the name of attachments you are receiving by e-mail, or occupy your computer resources and slow your machine while filling your memory or storage.
"E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source.
This will usually occur if someone you know has been infected with a virus and they have your address in their address book.
This type of spam is often used in an attempt to get recipients to open, and possibly infect their system.
The best course of action would be to delete these e-mails and never open any e-mails that you are unsure about.
To ensure that your computer is virus free you should make sure that you have the latest signature files available for EZ Antivirus and then run a full virus scan, if the results show zero infections then there is nothing to worry about."
|
|
COMMENT
Worms, which spoof, are spiritually destructive.
By the deception of others, your ignorance and your fear --- they prompt you to distrust and hold responsible friends, relatives and associates for a disaster of which they are innocent in involvement beyond their historical caring and support for you.
It is ALWAYS more intelligent and more spiritually strong to determine WHAT the meaning of an error is, HOW to correct it, and WHERE it originated -- BEFORE assessing responsibility, and penalty. Otherwise, the penalty enacted in haste may turn out to be a further disaster of our pride, fear and ignorance and hurt us more than we ever wished on others.
|
|
CAUTION
Worms which use e-mail address lists.
Increasingly dominant throughout 2003, and continuing, is the use of real e-mail addresses deceptively programmed into the "FROM" sections of e-mails. This has been a frequent practice of spammers who hope to remain free of prosecution and persecution as well as responsibility for the waste of resources they cause.
Most obvious from the fall of 2003, I have found "REPLY" e-mails being sent to my "health@earthtym.net" address, primarily from e-mail postmaster programs. These have protected the intended recipients from usual worm or virus attachments by returning it to the INSERTED "From" address, which is mine! This e-mail address was only set up when I changed my website host to Freeservers.com and indicated the "health@" e-mail as the administrative contact to the "protected" Internet URL registration site of "WHOIS.com" This address has NEVER been used to SEND e-mails. It's presence on the Internet in this capacity indicates a fraudulent ghosting of it.
The FACT that my administrative address is being used this way signals that ANY valid e-mail address can be likewise "kidnapped" and used by anonymous cowards to provoke others in YOUR name. It is tragic that the only SAFE way to share an attachment with friends, associates or customers is to either send an ALERT e-mail first to indicate that you will be sending an attachment and what its idiosyncratic filename is (nothing common or predictable), or, to post it on your personal or business website, perhaps temporarily, and send the webpage address in your e-mail.
There is NO BENEFIT in constantly changing your e-mail address as any new address you pick may be discovered within weeks and simply encourage you to spend many hours, and irritate all of your recipients, with the notifications of yet another change. Ironically, communicating in the digital age is becoming MORE dificult than previous methods, not easier nor cheaper. Because of abusive over-competitive mass marketing application --- snail (junk) mail, (telemarketing) telephone, (computer-dialing) voicemail, (batch) fax, and (spam) e-mail have all now become largely redundant as communication tools.
|
|
Articles on the Internet are transitory.
The publishers may remove them, change sites, change URLs, or change titles. For the purpose of maintaining an availability of this article for you, it has been reprinted here with authorship maintained and coding simplified for error-free loading and minimal file size.
|
|
