Virus or something?
- Thread starter Cozak
- Start date
have a problem when i start my computer up now this cmd thingy keep popping it up i cant end it in task manager or anything and its very annoying!
scorge
Fledgling Freddie
- Joined
- Sep 13, 2004
- Messages
- 2,721
The symptoms you are describing belong to a worm on your PC called agobot.
Summary
A "family" of worms referred to as NDemon, Phatbot, Agobot or Gaobot are infecting a large number of machines across the Internet. They spread through a number of mechanisms, including password guessing (looking for accounts with weak passwords), scanning for open file shares, and identifying machines without vital security patches.
Microsoft Windows users are strongly encouraged to take the following steps to reduce their exposure to this new threat - for details on how to make these changes, please consult ITSS: Secure Desktop Computing.
- Be sure that every user account on your computer is protected by a strong password, and that inactive accounts are disabled or removed entirely.
How to set passwords on your computer
Rules for picking a good password
How to create and configure user accounts in Windows XP
- If you don't share files or printers on your Windows PC with other Windows users over the network, disable file and printer sharing on your system. [If you're not sure whether or not you need to share files, you probably don't!]
Securing file and printer sharing in Windows
- Limit your non-work related Web browsing, and be careful about your Web browsing destinations wherever you do your surfing. Many Windows attacks are launched through malicious Web sites and pop-up ads, so staying away from sites with lots of pop-ups may make you a bit safer.
- Turn your computer off when you're going to be away from it for more than 4-6 hours (nights, weekends).
And remember -- no one program or configuration change or action on your part will protect you from every computer attack out there, no matter what operating system you use. Each of these measures will help. Additional information on protecting your computer, along with current information about recovering infected machines is provided in the Countermeasures section below.
Technical Details
Agobot uses a variety of mechanisms to infect a Windows computer: it scans for systems without last summer's RPC/DCOM updates or the Windows Workstation update; it looks for the backdoor left by the MyDoom virus; it checks for the DameWare remote management program; it checks to see if the victim machine allows network users to access its folders and shares; if all else fails it will try to find usernames with weak passwords. So the best defense against these attacks is is up to date software, disabled file sharing and good passwords.
Once a machine is infected, the attacker can perform a variety of evil tricks. Agobot prevents over 600 other Windows processes from running -- mostly anti-virus and personal firewall applications, but also some "competing" infections like Blaster and Sobig. It steals CD keys for a number of popular computer games. It listens to your Web and FTP traffic to capture usernames and passwords, and is especially tweaked to capture information to and from PayPal.
The Agobot family of worms share the following properties:
* Controlled via Internet Relay Chat (IRC), which means that it's a backdoor that does not leave a network port open (ie. can't scan for infected machines directly)
* May infect a machine using a variety of mechanisms:
o User accounts with admin privileges and weak or non-existent passwords
o Microsoft file sharing enabled to allow access to system folder
o Automatic scanning and infection of machines without the RPC/DCOM (MS03-026) or RPC/Locator (MS03-001) Windows operating system patches
o Remotely triggered scanning and infection of machines running Internet Information Services (MS IIS), without the patch for the WebDAV vulnerability (MS03-007).
o Remote detection and communication through the backdoors left by the MyDoom virus (TCP/3127), the Bagel virus (TCP/2745) and the DameWare exploit (TCP/6129).
* Worm replaces the infected machine's %Windows%\system32\drivers\etc\hosts file with a file that effectively disables access to the Web sites of the major anti-virus vendors (including Symantec, Sophos, McAfee and F-Secure, amongst many others).
Countermeasures
Unlike many less dangerous Windows attacks, the Agobot family uses many mechanisms to infect machines. One of the most pernicious of these is its ability to use Microsoft file and printer sharing to install itself on a victim machine. This is not due to a bug or a vulnerability in Windows -- it's possible because many Windows computers are configured to allow easy network access to files and printers. In many cases, the Windows user doesn't know that their machine is allowing network access.
If you're not using Windows file sharing to distribute data on your machine to network users, please disable it - you'll protect yourself from the Phatbot attacks and from unintentionally giving away access to your computer. If you need to provide network access to data on your computer, you might want to consider more secure options:
- On Windows XP Professional, disable the Simple File Sharing capability -- require that users be authenticated before they can access your machine. More information on this capability is available in the Install required services: File Sharing section of the XP best practices guide (and in the references in that document).
- Stanford provides the AFS service to allow secure data transfer between computers. To use AFS on Windows, install PC-Leland. Once PC-Leland is installed, add PC-AFS to share files securely -- this phase requires you to reboot your PC.
If you must use Windows' native file and printer sharing functionality, please consult Microsoft's document How to disable simplified sharing and set permissions on a shared folder in Windows XP for guidance on limiting access to your shared resources.
To identify machines infected with this family of worms:
- Look for a HOSTS file that redirects queries for AV websites to the localhost, ie with entries like:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
- Look for machines generating an unusual amount of outbound network traffic, especially on ports TCP/135, TCP/445 and TCP/80. You may also see traffic on TCP/1025, TCP/3127 (mydoom), TCP/2745 (bagel) and TCP/6129 (dameware). End users may complain that their computer is having network problems, or seems really slow.
- Infected machines cannot update their AV software -- for Symantec, the little shield icon in the toolbar may indicate an error by showing a red X or bar.
- Some infected machines are so damaged that regedit and regedt32 will not run.
Removal
As usual, if your machine is infected with one of the Agobot worms, the most conservative recommendation is to back up the data on the machine, re-format the hard drive, and re-install the operating system and all applications. This worm family is particularly difficult to remove from machines, which makes the "re-install" advice even more appropriate -- in many cases, rebuilding an infected machine "from scratch" will take LESS time and energy than trying to remove the infection without rebuilding.
If you rebuild from scratch, before starting, download the appropriate versions of the MS04-011 and MS04-012 patches and burn these to a CDROM (or have a friend do so). Then re-install Windows without being connected to the network. After that use the CD to install the above patches. Finally, plug in the network and go to Windows Update and install any other patches. The reason for these steps is to try to prevent you from getting re-infected during the build process.
Most anti-virus companies have released signatures to detect the Agobot family, but since the worm interferes with AV software, relying solely on anti-virus software for protection in this situation isn't very effective. Unfortunately there are so many Agobot variants that none of the stand-alone cleaning tools are guaranteed to repair a damaged machine. But here's what we know.
The general procedure for removing an Agobot infestation is to boot the infected machine into Safe Mode (which disables the system recovery capability), and then to run one or more of the manual Agobot removal tools. ITSS has had several reports that more than one cleaning tool was required to get rid of all traces of Agobot infections; infected machines also frequently require manual registry edits for full recovery.
Starting your computer in Safe Mode
To further assist with recovering infected machines, many AV vendors have provided manual cleaning tools. ISS (security@stanford.edu) would appreciate hearing about your experience using these tools - did they remove the virus?
NEW: Symantec has several removal tools on the following page. The tools that came after (those earlier in the list) than W32.Sober might be useful:
Symantec: removal tools
Other tools:
Symantec: W32.Gaobot.UJ removal tool (dated 3 Apr 2004)
Symantec: W32.HLLW.Gaobot Removal tool (dated 2 Apr 2004)
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.zip
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.exe
F-Secure: Detailed disinfection instructions
Trend Micro's House Call tool
Trend Micro's particularly well-written document on removing the infection
According to members of the Forum of Incident Response and Security Teams, as well as participants in the intrusions@incidents.org mailing list, the removal tool provided by F-Secure is the most effective at completely removing members of the Phatbot/Agobot worm family. But none of the tools is guaranteed to remove all signs of infestation, which is why we've listed all of them here.
Columbia University's GAOBOT removal instructions
Yale University update on Gaobot worm variants
More tech documentation from Yale on Gaobot
Other hints:
Take a look at the Windows registry for keys related to Agobot variants (as reported in the references in this document). Many folks have reported that manual registry changes are required even when the removal tools have been employed.
Occasionally the cleaning tools will not run, or will not perform any action, because a rogue process associated with the infection is blocking them. In these cases, killing the rogue process may help. However, there's no single name of a process to look for -- the variants hide the rogue process with different names (including but certainly not limited to SYSCONF.EXE, REGSVC32.EXE or MSDTC32.EXE).
Summary
A "family" of worms referred to as NDemon, Phatbot, Agobot or Gaobot are infecting a large number of machines across the Internet. They spread through a number of mechanisms, including password guessing (looking for accounts with weak passwords), scanning for open file shares, and identifying machines without vital security patches.
Microsoft Windows users are strongly encouraged to take the following steps to reduce their exposure to this new threat - for details on how to make these changes, please consult ITSS: Secure Desktop Computing.
- Be sure that every user account on your computer is protected by a strong password, and that inactive accounts are disabled or removed entirely.
How to set passwords on your computer
Rules for picking a good password
How to create and configure user accounts in Windows XP
- If you don't share files or printers on your Windows PC with other Windows users over the network, disable file and printer sharing on your system. [If you're not sure whether or not you need to share files, you probably don't!]
Securing file and printer sharing in Windows
- Limit your non-work related Web browsing, and be careful about your Web browsing destinations wherever you do your surfing. Many Windows attacks are launched through malicious Web sites and pop-up ads, so staying away from sites with lots of pop-ups may make you a bit safer.
- Turn your computer off when you're going to be away from it for more than 4-6 hours (nights, weekends).
And remember -- no one program or configuration change or action on your part will protect you from every computer attack out there, no matter what operating system you use. Each of these measures will help. Additional information on protecting your computer, along with current information about recovering infected machines is provided in the Countermeasures section below.
Technical Details
Agobot uses a variety of mechanisms to infect a Windows computer: it scans for systems without last summer's RPC/DCOM updates or the Windows Workstation update; it looks for the backdoor left by the MyDoom virus; it checks for the DameWare remote management program; it checks to see if the victim machine allows network users to access its folders and shares; if all else fails it will try to find usernames with weak passwords. So the best defense against these attacks is is up to date software, disabled file sharing and good passwords.
Once a machine is infected, the attacker can perform a variety of evil tricks. Agobot prevents over 600 other Windows processes from running -- mostly anti-virus and personal firewall applications, but also some "competing" infections like Blaster and Sobig. It steals CD keys for a number of popular computer games. It listens to your Web and FTP traffic to capture usernames and passwords, and is especially tweaked to capture information to and from PayPal.
The Agobot family of worms share the following properties:
* Controlled via Internet Relay Chat (IRC), which means that it's a backdoor that does not leave a network port open (ie. can't scan for infected machines directly)
* May infect a machine using a variety of mechanisms:
o User accounts with admin privileges and weak or non-existent passwords
o Microsoft file sharing enabled to allow access to system folder
o Automatic scanning and infection of machines without the RPC/DCOM (MS03-026) or RPC/Locator (MS03-001) Windows operating system patches
o Remotely triggered scanning and infection of machines running Internet Information Services (MS IIS), without the patch for the WebDAV vulnerability (MS03-007).
o Remote detection and communication through the backdoors left by the MyDoom virus (TCP/3127), the Bagel virus (TCP/2745) and the DameWare exploit (TCP/6129).
* Worm replaces the infected machine's %Windows%\system32\drivers\etc\hosts file with a file that effectively disables access to the Web sites of the major anti-virus vendors (including Symantec, Sophos, McAfee and F-Secure, amongst many others).
Countermeasures
Unlike many less dangerous Windows attacks, the Agobot family uses many mechanisms to infect machines. One of the most pernicious of these is its ability to use Microsoft file and printer sharing to install itself on a victim machine. This is not due to a bug or a vulnerability in Windows -- it's possible because many Windows computers are configured to allow easy network access to files and printers. In many cases, the Windows user doesn't know that their machine is allowing network access.
If you're not using Windows file sharing to distribute data on your machine to network users, please disable it - you'll protect yourself from the Phatbot attacks and from unintentionally giving away access to your computer. If you need to provide network access to data on your computer, you might want to consider more secure options:
- On Windows XP Professional, disable the Simple File Sharing capability -- require that users be authenticated before they can access your machine. More information on this capability is available in the Install required services: File Sharing section of the XP best practices guide (and in the references in that document).
- Stanford provides the AFS service to allow secure data transfer between computers. To use AFS on Windows, install PC-Leland. Once PC-Leland is installed, add PC-AFS to share files securely -- this phase requires you to reboot your PC.
If you must use Windows' native file and printer sharing functionality, please consult Microsoft's document How to disable simplified sharing and set permissions on a shared folder in Windows XP for guidance on limiting access to your shared resources.
To identify machines infected with this family of worms:
- Look for a HOSTS file that redirects queries for AV websites to the localhost, ie with entries like:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
- Look for machines generating an unusual amount of outbound network traffic, especially on ports TCP/135, TCP/445 and TCP/80. You may also see traffic on TCP/1025, TCP/3127 (mydoom), TCP/2745 (bagel) and TCP/6129 (dameware). End users may complain that their computer is having network problems, or seems really slow.
- Infected machines cannot update their AV software -- for Symantec, the little shield icon in the toolbar may indicate an error by showing a red X or bar.
- Some infected machines are so damaged that regedit and regedt32 will not run.
Removal
As usual, if your machine is infected with one of the Agobot worms, the most conservative recommendation is to back up the data on the machine, re-format the hard drive, and re-install the operating system and all applications. This worm family is particularly difficult to remove from machines, which makes the "re-install" advice even more appropriate -- in many cases, rebuilding an infected machine "from scratch" will take LESS time and energy than trying to remove the infection without rebuilding.
If you rebuild from scratch, before starting, download the appropriate versions of the MS04-011 and MS04-012 patches and burn these to a CDROM (or have a friend do so). Then re-install Windows without being connected to the network. After that use the CD to install the above patches. Finally, plug in the network and go to Windows Update and install any other patches. The reason for these steps is to try to prevent you from getting re-infected during the build process.
Most anti-virus companies have released signatures to detect the Agobot family, but since the worm interferes with AV software, relying solely on anti-virus software for protection in this situation isn't very effective. Unfortunately there are so many Agobot variants that none of the stand-alone cleaning tools are guaranteed to repair a damaged machine. But here's what we know.
The general procedure for removing an Agobot infestation is to boot the infected machine into Safe Mode (which disables the system recovery capability), and then to run one or more of the manual Agobot removal tools. ITSS has had several reports that more than one cleaning tool was required to get rid of all traces of Agobot infections; infected machines also frequently require manual registry edits for full recovery.
Starting your computer in Safe Mode
To further assist with recovering infected machines, many AV vendors have provided manual cleaning tools. ISS (security@stanford.edu) would appreciate hearing about your experience using these tools - did they remove the virus?
NEW: Symantec has several removal tools on the following page. The tools that came after (those earlier in the list) than W32.Sober might be useful:
Symantec: removal tools
Other tools:
Symantec: W32.Gaobot.UJ removal tool (dated 3 Apr 2004)
Symantec: W32.HLLW.Gaobot Removal tool (dated 2 Apr 2004)
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.zip
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.exe
F-Secure: Detailed disinfection instructions
Trend Micro's House Call tool
Trend Micro's particularly well-written document on removing the infection
According to members of the Forum of Incident Response and Security Teams, as well as participants in the intrusions@incidents.org mailing list, the removal tool provided by F-Secure is the most effective at completely removing members of the Phatbot/Agobot worm family. But none of the tools is guaranteed to remove all signs of infestation, which is why we've listed all of them here.
Columbia University's GAOBOT removal instructions
Yale University update on Gaobot worm variants
More tech documentation from Yale on Gaobot
Other hints:
Take a look at the Windows registry for keys related to Agobot variants (as reported in the references in this document). Many folks have reported that manual registry changes are required even when the removal tools have been employed.
Occasionally the cleaning tools will not run, or will not perform any action, because a rogue process associated with the infection is blocking them. In these cases, killing the rogue process may help. However, there's no single name of a process to look for -- the variants hide the rogue process with different names (including but certainly not limited to SYSCONF.EXE, REGSVC32.EXE or MSDTC32.EXE).