Virus:Worm/Agobot.NQ.75
Date discovered:17/02/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:93.184 Bytes
MD5 checksum:6ea79d37db2141e47ca2c2b9ea316bf6
VDF version:6.33.01.03

 General Method of propagation:
   • Local network


Aliases:
   •  Kaspersky: Backdoor.Win32.Agobot.nq
   •  Bitdefender: Backdoor.SDBot.B31B3145


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\WININET.EXE



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Dell Internet Driver Update = WININET.EXE

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • Dell Internet Driver Update = WININET.EXE

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • C$
   • D$
   • E$
   • ADMIN$
   • IPC$


Exploit:
It makes use of the following Exploits:
– MS01-059 (Unchecked Buffer in Universal Plug and Play)
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-007 (Unchecked Buffer in Windows Component)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS04-011 (LSASS Vulnerability)
– Optix backdoor (port 3140)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: devnull.rizz**********
Port: 23000
Server password: stfupofskthx
Channel: #phat#
Nickname: phat-%random character string%
Password: smoke420



– This malware has the ability to collect and send information such as:
    • Collected Email addresses
    • CPU speed
    • Free memory
    • Malware uptime
    • Information about the network
    • Size of memory
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable DCOM
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Edit registry
    • Enable DCOM
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Perform network scan
    • Perform port redirection
    • Register a service
    • Restart system
    • Shut down system
    • Start keylog
    • Start spreading routine
    • Terminate malware
    • Terminate process
    • Updates itself
    • Visit a website

 Hosts The host file is modified as explained:

– In this case already existing entries remain unmodified.

– Access to the following domains is effectively blocked:
   • www.symantec.com; securityresponse.symantec.com; symantec.com;
      www.sophos.com; sophos.com; www.mcafee.com; mcafee.com;
      liveupdate.symantecliveupdate.com; www.viruslist.com; viruslist.com;
      viruslist.com; f-secure.com; www.f-secure.com; kaspersky.com;
      www.avp.com; www.kaspersky.com; avp.com; www.networkassociates.com;
      networkassociates.com; www.ca.com; ca.com; mast.mcafee.com;
      my-etrust.com; www.my-etrust.com; download.mcafee.com;
      dispatch.mcafee.com; secure.nai.com; nai.com; www.nai.com;
      update.symantec.com; updates.symantec.com; us.mcafee.com;
      liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
      trendmicro.com; www.trendmicro.com




The modified host file will look like this:


 Process termination List of processes that are terminated:
   • F-AGOBOT.EXE; HIJACKTHIS.EXE; _AVPM.EXE; _AVPCC.EXE; _AVP32.EXE;
      ZONEALARM.EXE; ZONALM2601.EXE; ZATUTOR.EXE; ZAPSETUP3001.EXE;
      ZAPRO.EXE; XPF202EN.EXE; WYVERNWORKSFIREWALL.EXE; WUPDT.EXE;
      WUPDATER.EXE; WSBGATE.EXE; WRCTRL.EXE; WRADMIN.EXE; WNT.EXE; WNAD.EXE;
      WKUFIND.EXE; WINUPDATE.EXE; WINTSK32.EXE; WINSTART001.EXE;
      WINSTART.EXE; WINSSK32.EXE; WINSERVN.EXE; WINRECON.EXE; WINPPR32.EXE;
      WINNET.EXE; WINMAIN.EXE; WINLOGIN.EXE; WININITX.EXE; WININIT.EXE;
      WININETD.EXE; WINDOWS.EXE; WINDOW.EXE; WINACTIVE.EXE; WIN32US.EXE;
      WIN32.EXE; WIN-BUGSFIX.EXE; WIMMUN32.EXE; WHOSWATCHINGME.EXE;
      WGFE95.EXE; WFINDV32.EXE; WEBTRAP.EXE; WEBSCANX.EXE; WEBDAV.EXE;
      WATCHDOG.EXE; W9X.EXE; W32DSM89.EXE; VSWINPERSE.EXE; VSWINNTSE.EXE;
      VSWIN9XE.EXE; VSSTAT.EXE; VSMON.EXE; VSMAIN.EXE; VSISETUP.EXE;
      VSHWIN32.EXE; VSECOMR.EXE; VSCHED.EXE; VSCENU6.02D30.EXE; VSCAN40.EXE;
      VPTRAY.EXE; VPFW30S.EXE; VPC42.EXE; VPC32.EXE; VNPC3000.EXE;
      VNLAN300.EXE; VIRUSMDPERSONALFIREWALL.EXE; VIR-HELP.EXE; VFSETUP.EXE;
      VETTRAY.EXE; VET95.EXE; VET32.EXE; VCSETUP.EXE; VBWINNTW.EXE;
      VBWIN9X.EXE; VBUST.EXE; VBCONS.EXE; VBCMSERV.EXE; UTPOST.EXE;
      UPGRAD.EXE; UPDAT.EXE; UNDOBOOT.EXE; TVTMD.EXE; TVMD.EXE; TSADBOT.EXE;
      TROJANTRAP3.EXE; TRJSETUP.EXE; TRJSCAN.EXE; TRICKLER.EXE; TRACERT.EXE;
      TITANINXP.EXE; TITANIN.EXE; TGBOB.EXE; TFAK5.EXE; TFAK.EXE;
      TEEKIDS.EXE; TDS2-NT.EXE; TDS2-98.EXE; TDS-3.EXE; TCM.EXE; TCA.EXE;
      TC.EXE; TBSCAN.EXE; TAUMON.EXE; TASKMON.EXE; TASKMO.EXE; TASKMG.EXE;
      SYSUPD.EXE; SYSTEM32.EXE; SYSTEM.EXE; SYSEDIT.EXE; SYMTRAY.EXE;
      SYMPROXYSVC.EXE; SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE; SWEEP95.EXE;
      SVSHOST.EXE; SVCHOSTS.EXE; SVCHOSTC.EXE; SVC.EXE; SUPPORTER5.EXE;
      SUPPORT.EXE; SUPFTRL.EXE; STCLOADER.EXE; START.EXE; ST2.EXE;
      SSG_4104.EXE; SSGRATE.EXE; SS3EDIT.EXE; SRNG.EXE; SREXE.EXE;
      SPYXX.EXE; SPOOLSV32.EXE; SPOOLCV.EXE; SPOLER.EXE; SPHINX.EXE;
      SPF.EXE; SPERM.EXE; SOFI.EXE; SOAP.EXE; SMSS32.EXE; SMS.EXE; SMC.EXE;
      SHOWBEHIND.EXE; SHN.EXE; UPDATE.EXE; SHELLSPYINSTALL.EXE; SH.EXE;
      SGSSFW32.EXE; SFC.EXE; SETUP_FLOWPROTECTOR_US.EXE; SETUPVAMEEVAL.EXE;
      SERVLCES.EXE; SERVLCE.EXE; SERVICE.EXE; SERV95.EXE; SD.EXE;
      SCVHOST.EXE; SCRSVR.EXE; SCRSCAN.EXE; SCANPM.EXE; SCAN95.EXE;
      SCAN32.EXE; SCAM32.EXE; SC.EXE; SBSERV.EXE; SAVENOW.EXE; SAVE.EXE;
      SAHAGENT.EXE; SAFEWEB.EXE; RUXDLL32.EXE; RUNDLL16.EXE; RUNDLL.EXE;
      RUN32DLL.EXE; RULAUNCH.EXE; RTVSCN95.EXE; RTVSCAN.EXE; RSHELL.EXE;
      RRGUARD.EXE; RESCUE32.EXE; RESCUE.EXE; REGEDT32.EXE; REGEDIT.EXE;
      REGED.EXE; REALMON.EXE; RCSYNC.EXE; RB32.EXE; RAY.EXE;
      RAV8WIN32ENG.EXE; RAV7WIN.EXE; RAV7.EXE; RAPAPP.EXE; QSERVER.EXE;
      QCONSOLE.EXE; PVIEW95.EXE; PUSSY.EXE; PURGE.EXE; PSPF.EXE;
      PROTECTX.EXE; PROPORT.EXE; PROGRAMAUDITOR.EXE; PROCEXPLORERV1.0.EXE;
      PROCESSMONITOR.EXE; PROCDUMP.EXE; PRMVR.EXE; PRMT.EXE;
      PRIZESURFER.EXE; PPVSTOP.EXE; PPTBC.EXE; PPINUPDT.EXE; POWERSCAN.EXE;
      PORTMONITOR.EXE; PORTDETECTIVE.EXE; POPSCAN.EXE; POPROXY.EXE;
      POP3TRAP.EXE; PLATIN.EXE; PINGSCAN.EXE; PGMONITR.EXE; PFWADMIN.EXE;
      PF2.EXE; PERSWF.EXE; PERSFW.EXE; PERISCOPE.EXE; PENIS.EXE;
      PDSETUP.EXE; PCSCAN.EXE; PCIP10117_0.EXE; PCFWALLICON.EXE;
      PCDSETUP.EXE; PCCWIN98.EXE; PCCWIN97.EXE; PCCNTMON.EXE; PCCIOMON.EXE;
      PCC2K_76_1436.EXE; PCC2002S902.EXE; PAVW.EXE; PAVSCHED.EXE;
      PAVPROXY.EXE; PAVCL.EXE; PATCH.EXE; PANIXK.EXE; PADMIN.EXE;
      OUTPOSTPROINSTALL.EXE; OUTPOSTINSTALL.EXE; OTFIX.EXE; OSTRONET.EXE;
      OPTIMIZE.EXE; ONSRVR.EXE; OLLYDBG.EXE; NWTOOL16.EXE; NWSERVICE.EXE;
      NWINST4.EXE; NVSVC32.EXE; NVC95.EXE; NVARCH16.EXE; NUI.EXE;
      NTXconfig.EXE; NTVDM.EXE; NTRTSCAN.EXE; NT.EXE; NSUPDATE.EXE;
      NSTASK32.EXE; NSSYS32.EXE; NSCHED32.EXE; NPSSVC.EXE; NPSCHECK.EXE;
      NPROTECT.EXE; NPFMESSENGER.EXE; NPF40_TW_98_NT_ME_2K.EXE;
      NOTSTART.EXE; NORTON_INTERNET_SECU_3.0_407.EXE; NORMIST.EXE;
      NOD32.EXE; NMAIN.EXE; NISUM.EXE; NISSERV.EXE; NETUTILS.EXE;
      NETSTAT.EXE; NETSPYHUNTER-1.2.EXE; NETSCANPRO.EXE; NETMON.EXE;
      NETINFO.EXE; NETD32.EXE; NETARMOR.EXE; NEOWATCHLOG.EXE;
      NEOMONITOR.EXE; NDD32.EXE; NCINST4.EXE; NC2000.EXE; NAVWNT.EXE;
      NAVW32.EXE; NAVSTUB.EXE; NAVNT.EXE; NAVLU32.EXE;
      NAVENGNAVEX15.NAVLU32.EXE; NAVDX.EXE; NAVAPW32.EXE; NAVAPSVC.EXE;
      NAVAP.NAVAPSVC.EXE; AUTO-PROTECT.NAV80TRY.EXE; NAV.EXE; OUTPOST.EXE;
      NUPGRADE.EXE; N32SCANW.EXE; MWATCH.EXE; MU0311AD.EXE; MSVXD.EXE;
      MSSYS.EXE; MSSMMC32.EXE; MSMSGRI32.EXE; MSMGT.EXE; MSLAUGH.EXE;
      MSINFO32.EXE; MSIEXEC16.EXE; MSDOS.EXE; MSDM.EXE; MSCONFIG.EXE;
      MSCMAN.EXE; MSCCN32.EXE; MSCACHE.EXE; MSBLAST.EXE; MSBB.EXE;
      MSAPP.EXE; MRFLUX.EXE; MPFTRAY.EXE; MPFSERVICE.EXE; MPFAGENT.EXE;
      MOSTAT.EXE; MOOLIVE.EXE; MONITOR.EXE; MMOD.EXE; MINILOG.EXE; MGUI.EXE;
      MGHTML.EXE; MGAVRTE.EXE; MGAVRTCL.EXE; MFWENG3.02D30.EXE; MFW2EN.EXE;
      MFIN32.EXE; MD.EXE; MCVSSHLD.EXE; MCVSRTE.EXE; MCTOOL.EXE;
      MCSHIELD.EXE; MCMNHDLR.EXE; MCAGENT.EXE; MAPISVC32.EXE; LUSPT.EXE;
      LUINIT.EXE; LUCOMSERVER.EXE; LUAU.EXE; LSETUP.EXE; LORDPE.EXE;
      LOOKOUT.EXE; LOCKDOWN2000.EXE; LOCKDOWN.EXE; LOCALNET.EXE; LOADER.EXE;
      LNETINFO.EXE; LDSCAN.EXE; LDPROMENU.EXE; LDPRO.EXE; LDNETMON.EXE;
      LAUNCHER.EXE; KILLPROCESSSETUP161.EXE; KERNEL32.EXE;
      KERIO-WRP-421-EN-WIN.EXE; KERIO-WRL-421-EN-WIN.EXE;
      KERIO-PF-213-EN-WIN.EXE; KEENVALUE.EXE; KAZZA.EXE; KAVPF.EXE;
      KAVPERS40ENG.EXE; KAVLITE40ENG.EXE; JEDI.EXE; JDBGMRG.EXE; JAMMER.EXE;
      ISTSVC.EXE; MCUPDATE.EXE; LUALL.EXE; ISRV95.EXE; ISASS.EXE; IRIS.EXE;
      IPARMOR.EXE; IOMON98.EXE; INTREN.EXE; INTDEL.EXE; INIT.EXE;
      INFWIN.EXE; INFUS.EXE; INETLNFO.EXE; IFW2000.EXE; IFACE.EXE;
      IEXPLORER.EXE; IEDRIVER.EXE; IEDLL.EXE; IDLE.EXE; ICSUPPNT.EXE;
      ICMON.EXE; ICLOADNT.EXE; ICLOAD95.EXE; IBMAVSP.EXE; IBMASN.EXE;
      IAMSTATS.EXE; IAMSERV.EXE; IAMAPP.EXE; HXIUL.EXE; HXDL.EXE; HWPE.EXE;
      HTPATCH.EXE; HTLOG.EXE; HOTPATCH.EXE; HOTACTIO.EXE; HBSRV.EXE;
      HBINST.EXE; HACKTRACERSETUP.EXE; GUARDDOG.EXE; GUARD.EXE; GMT.EXE;
      GENERICS.EXE; GBPOLL.EXE; GBMENU.EXE; GATOR.EXE; FSMB32.EXE;
      FSMA32.EXE; FSM32.EXE; FSGK32.EXE; FSAV95.EXE; FSAV530WTBYB.EXE;
      FSAV530STBYB.EXE; FSAV32.EXE; FSAV.EXE; FSAA.EXE; FRW.EXE; FPROT.EXE;
      FP-WIN_TRIAL.EXE; FP-WIN.EXE; FNRB32.EXE; FLOWPROTECTOR.EXE;
      FIREWALL.EXE; FINDVIRU.EXE; FIH32.EXE; FCH32.EXE; FAST.EXE;
      FAMEH32.EXE; F-STOPW.EXE; F-PROT95.EXE; F-PROT.EXE; F-AGNT95.EXE;
      EXPLORE.EXE; EXPERT.EXE; EXE.AVXW.EXE; EXANTIVIRUS-CNET.EXE; EVPN.EXE;
      ETRUSTCIPE.EXE; ETHEREAL.EXE; ESPWATCH.EXE; ESCANV95.EXE;
      ICSUPP95.EXE; ESCANHNT.EXE; ESCANH95.EXE; ESAFE.EXE; ENT.EXE;
      EMSW.EXE; EFPEADM.EXE; ECENGINE.EXE; DVP95_0.EXE; DVP95.EXE;
      DSSAGENT.EXE; DRWEBUPW.EXE; DRWEB32.EXE; DRWATSON.EXE; DPPS2.EXE;
      DPFSETUP.EXE; DPF.EXE; DOORS.EXE; DLLREG.EXE; DLLCACHE.EXE; DIVX.EXE;
      DEPUTY.EXE; DEFWATCH.EXE; DEFSCANGUI.EXE; DEFALERT.EXE; DCOMX.EXE;
      DATEMANAGER.EXE; Claw95.EXE; CWNTDWMO.EXE; CWNB181.EXE; CV.EXE;
      CTRL.EXE; CPFNT206.EXE; CPF9X206.EXE; CPD.EXE; CONNECTIONMONITOR.EXE;
      CMON016.EXE; CMGRDIAN.EXE; CMESYS.EXE; CMD32.EXE; CLICK.EXE;
      CLEANPC.EXE; CLEANER3.EXE; CLEANER.EXE; CLEAN.EXE; CFINET32.EXE;
      CFINET.EXE; CFIADMIN.EXE; CFGWIZ.EXE; CFD.EXE; CDP.EXE; CCPXYSVC.EXE;
      CCEVTMGR.EXE; CCAPP.EXE; BVT.EXE; BUNDLE.EXE; BS120.EXE; BRASIL.EXE;
      BPC.EXE; BORG2.EXE; BOOTWARN.EXE; BOOTCONF.EXE; BLSS.EXE;
      BLACKICE.EXE; BLACKD.EXE; BISP.EXE; BIPCPEVALSETUP.EXE; BIPCP.EXE;
      BIDSERVER.EXE; BIDEF.EXE; BELT.EXE; BEAGLE.EXE; BD_PROFESSIONAL.EXE;
      BARGAINS.EXE; BACKWEB.EXE; CLAW95CF.EXE; CFIAUDIT.EXE;
      AVXMONITORNT.EXE; AVXMONITOR9X.EXE; AVWUPSRV.EXE; AVWUPD.EXE;
      AVWINNT.EXE; AVWIN95.EXE; AVSYNMGR.EXE; AVSCHED32.EXE; AVPTC32.EXE;
      AVPM.EXE; AVPDOS32.EXE; AVPCC.EXE; AVP32.EXE; AVP.EXE; AVNT.EXE;
      AVLTMAIN.EXE; AVKWCTl9.EXE; AVKSERVICE.EXE; AVKSERV.EXE; AVKPOP.EXE;
      AVGW.EXE; AVGUARD.EXE; AVGSERV9.EXE; AVGSERV.EXE; AVGNT.EXE;
      AVGCTRL.EXE; AVGCC32.EXE; AVE32.EXE; AVCONSOL.EXE; AU.EXE;
      ATWATCH.EXE; ATRO55EN.EXE; ATGUARD.EXE; ATCON.EXE; ARR.EXE;
      APVXDWIN.EXE; APLICA32.EXE; APIMONITOR.EXE; ANTS.EXE; ANTIVIRUS.EXE;
      ANTI-TROJAN.EXE; AMON9X.EXE; ALOGSERV.EXE; ALEVIR.EXE; ALERTSVC.EXE;
      AGENTW.EXE; AGENTSVR.EXE; ADVXDWIN.EXE; ADAWARE.EXE; AVXQUAR.EXE;
      ACKWIN32.EXE; AVWUPD32.EXE; AVPUPD.EXE; AUTOUPDATE.EXE; AUTOTRACE.EXE;
      AUTODOWN.EXE; AUPDATE.EXE; ATUPDATER.EXE


 Backdoor The following ports are opened:

– WININET.EXE on a random TCP port in order to provide an FTP server.
– WININET.EXE on a random TCP port in order to provide backdoor capabilities.

 Stealing It tries to steal the following information:
– Windows Product ID

– The following CD keys:
   • Unreal Tournament 2004; Unreal Tournament 2003; The Gladiators;
      Soldier Of Fortune 2; Soldiers Of Anarchy; Shogun: Total War: Warlord
      Edition; Ravenshield; Neverwinter Nights; Need For Speed: Underground;
      Need For Speed: Hot Pursuit 2; NHL 2003; NHL 2002; Nascar Racing 2003;
      Nascar Racing 2002; Medal of Honor: Allied Assault: Spearhead; Medal
      of Honor: Allied Assault: Breakthrough; Medal of Honor: Allied
      Assault; James Bond 007: Nightfire; Industry Giant 2; IGI2: Covert
      Strike; Hidden and Dangerous 2; Half-Life; Gunman Chronicles; Global
      Operations; Freedom Force; FIFA 2003; FIFA 2002; Counter-Strike;
      Command and Conquer: Tiberian Sun; Command and Conquer: Red Alert2;
      Command and Conquer: Generals: Zero Hour; Command and Conquer:
      Generals; Black and White; Battlefield 1942: Vietnam; Battlefield
      1942: The Road To Rome; Battlefield 1942: Secret Weapons Of WWII;
      Battlefield 1942

 Miscellaneous Furthermore it contains the following string:
   • ***ATTENTION*** NortonBot is protected under international copyright laws. Any attempt to dissassemble or alter this file is a violation of international copyright law. NortonBot is NOT intended to be a virus or trojan.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Wednesday, February 22, 2006
Description updated by Andrei Gherman on Wednesday, February 22, 2006

Back . . . .