Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

PhatBot/AgoBot Worm & Trojan

Attack ID: CPAI-2004-11
Publish Date:
Last Update:
Category: Remote Code Execution, Denial of Service
Vulnerable Systems: Microsoft Windows Platforms
Source:

Check Point Virus Information Center
Description: A new worm is propagating on the Internet, infecting users with Windows operating system. It uses multiple exploits in order to infect attacked nodes and propagates.

Once infected, the computer is being used by a sophisticated Trojan that could steal sensitive information, perform denial of service attacks and perform remote code execution.
Severity:
Details:

The Phatbot (also known as a AgoBot.FO) is a new worm that is currently propagating on the Internet.

It uses multiple means of infection, exploiting several Microsoft vulnerabilities, including the RPC/DCOM MS vulnerabilities (MS03-26 / MS03-39), MS WebDAV vulnerability (MS03-07) and MS RPC locator vulnerability (MS03-01).

Once a node has been infected, it may steal data, open a backdoor and act as a Trojan waiting for remote commands via IRC, collect e-mail addresses and other sensitive information, and continue to propagate via Windows shares.

The Trojan component is also capable of sniffing usernames and passwords on various network protocols, download and execute code on the infected node, visit sites by remote command and more.
Attack Detection: Using SmartView Tracker, identify the following events:
  • drops on IRC service (port TCP/6667)
  • drops on DCE-RPC (port TCP/135) with rule number 998 (MS RPC vulnerability attack
    attempt)
  • blocked HTTP request with a Malformed Request error message in the information field
  • Failed access attempts to CIFS resources
Solution:

Users of VPN-1 NG and InterSpect

Users of VPN-1 NG and InterSpect should apply the solutions outlined in the following SmartDefense advisories, in order to block the worm's propagation:

MS03-039 – MS RPCSS service vulnerabilities:
CPAI-2003-32

MS03-07 – Windows 2000 buffer overflow (WebDAV): CPAI-2003-08

In addition, users are encouraged to implement the general worm protection methods outlined in Worms and Viruses Special Advisory:
CPSA-2003-01.

It is imperative to restrict access to CIFS resources in order to block the worm's propagation.

Users of Check Point Integrity:

  • Ensure your systems are patched with Microsoft patches:
    RPC/DCOM (MS03-026)
    WebDAV (MS03-007)
    RPC/Locator (MS03-001)
  • Monitor observed programs for: svrhost.exe; srvhost.exe. Do not confuse svrhost.exe/srvhost.exe with the required system process svchost.exe
  • Monitor/block P2P control network TCP port 4387.
  • Update anti-virus products to provide the most up-to-date protection.
Industry Reference:
Additional Information: Zone Labs Security Advisory