RE: Agobot variant - with multi-vulnerability scanner

["James C Slora Jr" <Jim.Slora () phra com>]

Lawrence Baldwin wrote:

> This is the second case of 'hallowelt.exe' that I have seen 
> in two days where the end user's system system was fully 
> patched (Windows update on auto)...I haven't read up on all 
> the variants but this is rather puzzling as I was under the 
> impression that these only utilized network-based 
> propagation....do we have some new vulnerability or something?

Many Agobot variants also use automated password-guessing for guessed and
enumerated accounts. This often gets Agobot onto fully patched systems that
have NetBIOS and RPC ports exposed. That's part of why it is so nasty once
it gets onto a LAN. 

Web vectors, trojan downloaders, and secondary infection on MyDoom and Bagle
victim computers also can get it onto a fully patched system.

So there is no patch against Agobot. It takes defense in depth to keep it
out.


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------