Backdoor.Agobot
Kaspersky Antivirus Personal
NOD32 Anti-Virus
Command Anti-Virus
McAfee Antivirus Virus Scan
Panda Anti-Virus Titanium & Platinum
Trend PC-cillin Anti-Virus
Norton Anti-Virus
AVG Antivirus
How does anti-virus software work?
What is a trojan horse?
Computer virus (worm)
Malware
protect your network against trojans
Spyware and what you should know about it
Protect your confidential data
Backdoor.Agobot
Win32.Sasser.B
VBS.Redlof.B
How to delete Trojan
How to delete Win32.Worm.Welchia.B
Name:
Backdoor.Agobot
Aliases: Backdoor.Agobot.3.Gen, Win32.P2P.Spybot.Gen, Backdoor.SDBot.Gen
Type: Executable Backdoor Worm
Size: Depends on variant
First appeared on: 01.10.2003
Damage: Medium
Brief Description: This is a classical backdoor and allows a 'master' to
control the victim machine remotely by sending commnads via IRC channels.
Agobot copies itself into the Windows directory under random names and then
registers itself in the system registry auto-run keys:
Visible
Symptoms: The symptoms vary with each variant:
-
suspect running
process(es) - the name of the executable varies
-
suspect
registry keys, usually it's an entry in [HKLMSoftwareMicrosoftWindowsCurrent
VersionRun]
-
unusual
internet traffic
-
unusual TCP/UDP
open ports listed by "netstat -a" command
-
unusual
computer behaviour
Technical
description: First, what is an IRC Bot?
An IRC bot is a program that stays in an IRC channel, keeping it open 24 hours a
day, looking like a normal user but just waiting for specific commands to be
issued to it. Normally, they are NOT malicious and were developed to help
maintain an IRC channel or an IRC Community. Those IRC Bots are operaded by
Channel Operators and they are safe.
Now, all three families:
-
Backdoor.SDBot
-
Backdoor.Agobot.3
-
Win32.P2P.Spybot
are Irc Bots
based on the same "evil" IRC Bot source.
Once the Bot has been run on the victim's computer, the virus will do:
-
attempts to
terminate various antivirus/security applications
-
create and hide
a copy of itself on another location (usually inside Windows folder, and
inside P2P shared folders)
-
create a
registry key that will start the Bot each time at Windows start.
-
connect to a
predefined irc server and join a specific channel. There, it waits for
commands to be issued by an attacker.
Using these Bots,
an attacker could do:
-
Using the
victim's computer:
-
using
multiple infected computers, perform a Ddos attack on a specific IP
address/website.
-
perform
various types of flood on a target IP address
-
attack other
computers or a website using specific exploits/vulnerabilities (RPC/DCOM,
RPC/Locator, WebDAV, etc)
-
scan/search
for other vulnerable hosts and attempt to install itself on them
-
On the victim's
computer:
-
change bot
internal parameters, update the bot with a newer version, etc
-
use the host
as a TCP proxy (as a send-through)
-
redirect HTTP
traffic
-
steal CD keys
from various applications/games
-
steal
personal information, paswwords, etc
-
display/change various information
-
download and
upload files
-
delete/modify
files
-
execute
programs
-
terminate
processes reboot, shutdown the computer
-
and much more,
depending on what has been added to the original source.
Each newer
version operates on the same ground as the old ones, but it also new code is
added to make the Bot more powerfull and more hard to detect.
Propagation: -
Removal tool and instruction:
Once an infected file has been identified, the process should be terminated, the
registry key removed and the file deleted.
AntivirusWorld recommends:
If you're not sure you can remove the virus manually, buy one of the following
antiviruses:
by-http://www.antivirusworld.com/
|
