[Dshield] New Agobot infection here?
TRushing at hollandco.com
Wed Mar 3 21:02:53 GMT 2004
We have one of our PC techs who was trying to help a remote user debug a
problem. The remote user was complaining about pop-ups and other
strangeness and mentioned a link on the desktop of his machine. Our tech
decided to check out the link. This on a machine that is fully patched
Win XP machine with all MS patches and an updated Sophos virus definition
from this morning. Upon checking out the link, there were Sophos warnings
Sophos claimed to have deleted the files. However, his browser was now
redirected to an html file on his local machine and attempting to browse
to anything else brought up full-screen popups advertising software for
wiping evidence from your computer that could be used by the government to
convict you of child pornography.
The machine is now pulled from the network and will likely be wiped soon.
However, I am concerned that there was some additional infection vector at
the link he tried that was not caught by up to date virus software.
I have yet to give the link because it is ostensibly a pornographic site.
So, with that warning, anyone who is curious can check out
I have not examined the html coming from that URL. I've been looking at
the various processes and they look like a variant of AGOBOT. I see that
Sophos has updated their virus definitions for numerous AGOBOT variants
this morning, but I believe we have that update.
More information about the list