[Dshield] New Agobot infection here?

TRushing@hollandco.com TRushing at hollandco.com
Wed Mar 3 21:02:53 GMT 2004


We have one of our PC techs who was trying to help a remote user debug a 
problem.  The remote user was complaining about pop-ups and other 
strangeness and mentioned a link on the desktop of his machine.  Our tech 
decided to check out the link.  This on a machine that is fully patched 
Win XP machine with all MS patches and an updated Sophos virus definition 
from this morning.  Upon checking out the link, there were Sophos warnings 
on 

'Troj/Seeker-F' and
'Troj/Myss-C'

Sophos claimed to have deleted the files.  However, his browser was now 
redirected to an html file on his local machine and attempting to browse 
to anything else brought up full-screen popups advertising software for 
wiping evidence from your computer that could be used by the government to 
convict you of child pornography.

The machine is now pulled from the network and will likely be wiped soon. 
However, I am concerned that there was some additional infection vector at 
the link he tried that was not caught by up to date virus software.

I have yet to give the link because it is ostensibly a pornographic site. 
So, with that warning, anyone who is curious can check out

http://www.ipiku.com/?desk

I have not examined the html coming from that URL.  I've been looking at 
the various processes and they look like a variant of AGOBOT.  I see that 
Sophos has updated their virus definitions for numerous AGOBOT variants 
this morning, but I believe we have that update.

Tim Rushing
Holland Company




More information about the list mailing list