![]() Other method of spreading uses the WebDAV (MS03-007) vulnerability to copy the worm to the remote host. The worm is copied to a file on the remote host to a file called 'winhlpp32.exe' and started. The download comes from the attacker host from a random port where the worm runs a simple server that responds with the worm as an answer when connected. If it can successfully penetrate a host it downloads itself there. Using these exploits Agobot scans random IP addresses. The worm starts to scan for vulnerable hosts with these upon execution. The RPC/DCOM and RPC/Locator vulnerability based spreading routines are enabled by default. steal CD keys of games Network propagationĪgobot has several different methods to spread through the network. ![]() perform Distributed Denial of Service (DDoS) attacks scan for vulnerable hosts and install the worm on them download and execute arbitrary programs on the computer control the bot (IRC name it uses, IRC channel, etc.). The IRC interface provides the remote attacker with a set of commands to On the server it joins a channel and awaits for further commands. ![]() IRC backdoorĪfter startup Agobot connects to a predefined IRC server on port 9900. This file is then added to the registry as When Agobot enters a system first it copies itself to the System Directory using the filename 'scvhost.exe'.
0 Comments
Leave a Reply. |