When connecting, Agobot.FO uses the following passwords: It tries to connect using the following account names: When spreading over the local network, Agobot.FO probes the following shares: The scan must be initiated by a remote attacker. Propagation (Network Shares)Īgobot.FO can scan for computers connected to the infected machine over a local network and copy itself to other accessible machines. On Windows NT-based systems the backdoor can start as a service. This allows the backdoor's file to start with every Windows session. Installationĭuring installation, Agobot.FO copies itself as NVCHIP4.EXE file to the Windows System folder and creates startup keys for this file in System Registry: The unpacked file's size is over 245 kilobytes.Īgobot.FO was found in March, 2004 and has become relatively widespread. The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. As the original Agobot author is known as TheAgo, its possible the identifier indicates that this variant is made by a different person or group. Agobot.FO propagates over network shares.Īgobot.FO's code has a 'Phatbot3' identifier and there are a few 'phat' text strings in its body. This backdoor has functionality similar to previous-released variants, but is more powerful, being able to harvest email addresses, launch Distributed Denial of Service (DDoS) attacks and more. Backdoor:W32/Agobot.FO is a variant from the Agobot backdoor family.
0 Comments
Leave a Reply. |