Administrateur) and a list of insecure passwords like 'password', 'xyz' etc.
The worm has the translated names for administrator (eg. To propagate in local area networks Agobot has a separate routine that connect to Windows computers and tries to copy itself using the Administrator account trying with different trivial passwords. Other method of spreading uses the WebDAV (MS03-007) vulnerability to copy the worm to the remote host. The worm is copied to a file on the remote host to a file called 'winhlpp32.exe' and started. The download comes from the attacker host from a random port where the worm runs a simple server that responds with the worm as an answer when connected. If it can successfully penetrate a host it downloads itself there. Using these exploits Agobot scans random IP addresses. The worm starts to scan for vulnerable hosts with these upon execution. The RPC/DCOM and RPC/Locator vulnerability based spreading routines are enabled by default. steal CD keys of games Network propagationĪgobot has several different methods to spread through the network. perform Distributed Denial of Service (DDoS) attacks scan for vulnerable hosts and install the worm on them download and execute arbitrary programs on the computer control the bot (IRC name it uses, IRC channel, etc.).
The IRC interface provides the remote attacker with a set of commands to Agobot.FO propagates over network shares. This backdoor has functionality similar to previous-released variants, but is more powerful, being able to harvest email addresses, launch Distributed Denial of Service (DDoS) attacks and more. On the server it joins a channel and awaits for further commands. Backdoor:W32/Agobot.FO is a variant from the Agobot backdoor family.
IRC backdoorĪfter startup Agobot connects to a predefined IRC server on port 9900. This file is then added to the registry as When Agobot enters a system first it copies itself to the System Directory using the filename 'scvhost.exe'.
0 kommentar(er)
