Internet threat level: 1
Home→Descriptions→Backdoor.Win32.Agobot.a
Backdoor.Win32.Agobot.a
| Detected | Aug 21 2003 00:32 GMT |
| Released | Aug 21 2003 00:32 GMT |
| Published | Apr 17 2004 16:11 GMT |
Technical Details
Backdoor.Agobot (also known as PhatBot) is a Trojan program which provides the author/ user with remote access to the victim machine. It is managed via IRC. It has a wide range of functionalities:
- will not work with a debugger running or under Vmware
- it can run both as a standard application and as a service (when running under Windows NT/2000/XP)
- when copying itself to the Windows system folder (on first being launched) it attmepts to encode the copy and write the decoder to the body of the copy (polymorphic code)
- adds to the HOSTS file the IP address 127.0.0.1 for the sites of some antivirus companies (to hinder the updating of antivirus databases)
- monitors the network and copies all interesting packets (e.g. packets containing passwords for FTP servers, e-payment systems such as PayPal etc.)
- scans other computers for the presence of common vulnerabilities such as DCOM RPC, UpnP, WebDAV and others, and then installs itself on the vulnerable machine
- searches the victim machine for AOL logs, passwords for certain computer games, and email addresses, and sends all this information to its author/ user
- conducts DoS attacks (SYN-flood, Targa and others)
- launches proxy servers on the victim machine (HTTP, HTTPS, SOCKS, BNC and others)
- expedites the uploading of additional modules (plug-ins)
Backdoors are designed to give malicious users remote control over an infected computer. In terms of functionality, Backdoors are similar to many administration systems designed and distributed by software developers.
These types of malicious programs make it possible to do anything the author wants on the infected computer: send and receive files, launch files or delete them, display messages, delete data, reboot the computer, etc.
The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes.
There is also a group of Backdoors which are capable of spreading via networks and infecting other computers as Net-Worms do. The difference is that such Backdoors do not spread automatically (as Net-Worms do), but only upon a special “command” from the malicious user that controls them.
Backdoor.
- Backdoor.
Agobot. a (Kaspersky Lab) - Backdoor.
Agobot. 3. a (Kaspersky Lab) - Backdoor.
Agobot. 3 (Kaspersky Lab) - W32/Agobot-Y (Sophos)
- Exploit.
DCOM. Gen (ClamAV) - W32/Gaobot.
gen. worm (Panda) - W32/IRCBot-based!Maximus (FPROT)
- Backdoor:
IRC/Leetbot (MS(OneCare)) - Win32.
HLLW. Agobot. 7 (DrWeb) - NewHeur_PE (Nod32)
- Generic.
Sdbot. 08B6D5FE (BitDef7) - Worm.
SdBot. Gen. 26 (VirusBuster) - BDS/SdBot.
Q. Plus (AVIRA) - W32.
HLLW. Gaobot. gen (NAV) - W32/Gaobot.
worm. gen. d (NAI) - WORM_SDBOT.
GEN-1 (PCCIL)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.