Agobot variant - with multi-vulnerability scanner

["Lawrence Baldwin" <baldwinL () mynetwatchman com>]

Not sure if others have already seen this or not, but here you go:
http://www.mynetwatchman.com/tools/sc/Agobot.htm

Found on infected host this morning:

"This variant has one of the more extensive multi-vulnerability scanning
engines around:

Scans for:

tcp/80 - WebDAV
tcp/135 - MS RPC
tcp/139/445 - MS Networking
tcp/1025 - MS RPC / locator???
tcp/2745 - Beagle worm backdoor
tcp/3127 - MyDoom worm backdoor
tcp/6129 - Dameware "

This is the second case of 'hallowelt.exe' that I have seen in two days
where the end user's system system was fully patched (Windows update on
auto)...I haven't read up on all the variants but this is rather puzzling as
I was under the impression that these only utilized network-based
propagation....do we have some new vulnerability or something?


We have also seen another even nastier version using the soundman.exe and
soundconf.exe filenames that don't even show up in the process list, though
their connection activity DOES....tcpview shows the source as "<non-existent
process:###>"...if anyone has any suggestions on that one, I'd appreciate
them.

Lawrence Baldwin
Chief Forensics Officer
myNetWatchman.com
Atlanta, GA
+1.678.624.0924


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------