Alias: Gaobot
Agobot is a backdoor IRC network worm, it exploit's three
known vulnerabilities to a system. Patches to fix these
vulnerabilties are below. Depending on the varient the worm
will drop the following files to the windows system folder
SCVHOST.EXE, LSAS.EXE, WINHLPP32.EXE,
& IEXPLORE.EXE. The file that is dropped is then
added to the registry paths:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Config
Loader] and [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Config
Loader]
InVircible intercepts the file that is dropped stopping
the file from execution, and infecting the system.
It is important to install the security patches for the
vulnerabilities exploited by Agobot which are available
on the following links with information:
RPC/DCOM (MS03-026, fixed by MS03-039):
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
RPC/Locator (MS03-001):
http://www.microsoft.com/technet/security/bulletin/MS03-001.asp
WebDAV (MS03-007):
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
Back
