'Re[2]: [Full-Disclosure] Look what's back for New Years'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re[2]: [Full-Disclosure] Look what's back for New Years
From:       Papp Geza <pappgeza () tolna ! net>
Date:       2003-12-31 0:37:59
Message-ID: 12178207046.20031231013759 () tolna ! net
[Download RAW message or body]

Hello
2003. december 31., 0:12:59, írtad:

> > me off-list and I'll zip it to you). Headers etc below for
> > your amusement.

BZ> Back???
BZ> They never stopped. It's Gibe-F.
BZ>   part000.txt - is OK
BZ> http://www.nod32.com

RPC-DCOM viruses is never stopped, other more new variant is.
This mail recieve before 10 min

W32/Agobot-BT
Aliases 
W32.HLLW.Gaobot.gen 
 
Type 
Win32 worm 


Description 
W32/Agobot-BT is a network worm which also allows unauthorised remote access to the computer \
via IRC channels.  W32/Agobot-BT copies itself to network shares with weak passwords and \
attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities. 

These vulnerabilities allow the worm to execute its code on target computers with System level \
priviledges. For further information on these vulnerabilities and for details on how to \
protect/patch the computer against such attacks please see Microsoft security bulletins \
MS03-001 and MS03-026. MS03-026 has been superseded by Microsoft security bulletin MS03-039. 

W32/Agobot-BT copies itself to the Windows system folder as sysinfo.exe and creates the \
following registry entries to run itself on system restart: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loader 

Each time W32/Agobot-BT is run it attempts to connect to a remote IRC server and join a \
specific channel. 

W32/Agobot-BT attempts to terminate various processes related to anti-virus and security \
software (e.g. SWEEP95.EXE, BLACKICE.EXE and ZONEALARM.EXE).   




-- 
Üdvözlettel,
  GEza                             mailto:pappgeza@tolna.net



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic