Name: Agobot.winhost Category: Worm Advice: Remove Risk: Severe Risk Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. Description: This memory-resident worm arrives via network shares. Upon execution, it drops a copy of itself in the Windows system folder as the file WINHOST.EXE. It creates the following registry entries to enable its automatic execution at every system startup: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun win32 = "winhost.exe" HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices win32 = "winhost.exe" HKEY_CURRENT_USERSoftwareMicrosoftOle win32 = "winhost.exe" Network Propagation and Exploits This worm spreads by dropping copies of itself in the following network shares: Admin$system32 C$Windowssystem32 C$WINNTsystem32 It uses cached user names and passwords to gain access to these shares. It may also use a long list of user names and passwords, apart from those it gathers. This worm also exploits the following Windows vulnerabilities to propagate: SQL Server Buffer Overflow vulnerability IIS/WEBDAV vulnerability RPC/DCOM vulnerability LSASS vulnerability More information about these vulnerabilities can be found on the following pages: Microsoft Security Bulletin MS02-061 Microsoft Security Bulletin MS03-007 Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS04-011 It is also able to detect systems installed with DameWare, as well as those affected by the following malware variants: BKDR_KUANG BKDR_NETDEVIL BKDR_OPTIX BKDR_SUB7 WORM_BAGLE WORM_MYDOOM Backdoor Capabilities This worm connects to an Internet Relay Chat (IRC) server and creates a backdoor bot, enabling a remote malicious user to execute the following commands on the affected system: Perform basic IRC commands Perform basic FTP commands Scan ports Perform packet sniffing for specific strings Perform any of the following flood attacks: ICMP flood Ping flood SYN flood TCP flood UDP flood Execute, list, or terminate processes Open a remote command shell Download/Search files Open FTP server Start up proxy server Send email Get system and network information Get Windows login password List, start, or stop a service Create, list, or delete user accounts Add, delete, or list network shares Enable/Disable DCOM Enable/Disable anonymous login Flush DNS Cache Information Theft This worm steals the Microsoft Windows Product ID, as well as the CD keys of the following games: Battlefield 1942 (Road To Rome) Battlefield 1942 (Secret Weapons of WWII) Battlefield Vietnam Chrome Command and Conquer: Generals Command and Conquer: Generals (Zero Hour) Command and Conquer: Red Alert Command and Conquer: Red Alert 2 Command and Conquer: Tiberian Sun Counter-Strike (Retail) FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden & Dangerous IG2 IGI 2: Covert Strike Industry Giant 2 James Bond 007: Nightfire Legends of Might and Magic Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 Need For Speed Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights Neverwinter Nights (Hordes of the Underdark) Neverwinter Nights (Shadows of Undertide) NHL 2002 NHL 2003 NOX Rainbow Six III Shogun: Total War: Warlord Edition Soldier of Fortune II - Double Helix Soldiers Of Anarchy The Gladiators The Road to Rome Unreal Tournament 200 Signatures: process: winhost.exe: MD5 Hash: c4afd7eba49f5f98452.. Type: Worm - A worm is program that propagates by attacking other computers and copying itself to them. Worms may replace files, but do not insert themselves into files (as viruses do).