Virus:Worm/Agobot.100864
Date discovered:27/09/2004
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:100.864 Bytes
MD5 checksum:defc586fbd422d466a6bab7dfec48517
VDF version:6.27.00.74

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.HLLW.Gaobot
   •  TrendMicro: WORM_SDBOT.CHH
   •  Sophos: Exp/MS05039-A
   •  Grisoft: IRC/BackDoor.SdBot.LNF
   •  VirusBuster: Worm.SdBot.BIY
   •  Eset: Win32/TrojanDropper.ErPack
   •  Bitdefender: Backdoor.SDBot.DEB


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\svchosts32.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • ScHost"="svchosts32.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   • "ScHost"="svchosts32.exe"



The following registry keys are added:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
   • "DisableSR"="1"

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "DisableSR"="1"

– HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
   • "NoAutoUpdate"="1"
   • "AUOptions"="1"

– HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
   • "NoAutoUpdate"="1"
   • "AUOptions"="1"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   • "AUOptions"="1"



The following registry keys are changed:

– HKLM\SOFTWARE\Microsoft\Security Center
   Old value:
   • "FirewallDisableNotify"=%user defined settings%
   • "UpdatesDisableNotify"=%user defined settings%
   • "AntiVirusDisableNotify"=%user defined settings%
   New value:
   • "FirewallDisableNotify"="1"
   • "UpdatesDisableNotify"="1"
   • "AntiVirusDisableNotify"="1"

– HKCU\Software\Microsoft\Security Center
   Old value:
   • "FirewallDisableNotify"=%user defined settings%
   • "UpdatesDisableNotify"=%user defined settings%
   • "AntiVirusDisableNotify"=%user defined settings%
   New value:
   • "FirewallDisableNotify"="1"
   • "UpdatesDisableNotify"="1"
   • "AntiVirusDisableNotify"="1"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"="0"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • admin$
   • ipc$
   • d$
   • c$


Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: panspn.mast**********
Port: 6667
Server password: killer
Channel: #panspn
Nickname: pa|%six-digit random character string%
Password: abcnet



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Size of memory
    • Username
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS SYN flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • Disable network shares
    • disconnect from IRC server
    • Download file
    • Edit registry
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Perform DDoS attack
    • Perform network scan
    • Perform port redirection
    • Start spreading routine
    • Updates itself
    • Upload file
    • Visit a website

 Backdoor The following port is opened:

%SYSDIR%\svchosts32.exe on a random TCP port in order to provide a Socks 4 proxy server.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Boldea on Monday, May 15, 2006
Description updated by Irina Boldea on Tuesday, May 16, 2006

Back . . . .