[Dshield] New Agobot infection here?

john beck jbeck80 at hotmail.com
Wed Mar 3 22:15:36 GMT 2004

To me this looks like browser hi jacking by malware (spyware/adware), run 
spybot s&d scan and clean (imunize and modify the host file using spybot) 
and ad aware (scan and clean, it catches more than spybot but does not have 
the tools to prevent reinfection)  This is very typical of spam coming into 
email and user opening or clicking link.  Antivirus does not pick up all 
malware, I work at many places (work a holic) at local college where we can 
not content filter (get labeled as Nazi's) the malware walks all over and 
sophos stands quitely doing nothing.  Antivirus is only half way to keeping 
systems clean.  And even now I have seen countermeasures of spybot get 
trashed by malware (host file gets remodified to connect to malserver, 
imunize made ineffective, etc).  If you have ever seen someones email 
(outlook) get hi jacked by "popnav" and held hostage as it displays its ad, 
you would know what I mean, and if you are like many other engineers and 
think, "I don't go to those sites so I do not have it, run the formentioned 
utils and see:)  Just like all the others I have edificated:)


>From: TRushing at hollandco.com
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: list at dshield.org
>Subject: [Dshield] New Agobot infection here?
>Date: Wed, 3 Mar 2004 15:02:53 -0600
>We have one of our PC techs who was trying to help a remote user debug a
>problem.  The remote user was complaining about pop-ups and other
>strangeness and mentioned a link on the desktop of his machine.  Our tech
>decided to check out the link.  This on a machine that is fully patched
>Win XP machine with all MS patches and an updated Sophos virus definition
>from this morning.  Upon checking out the link, there were Sophos warnings
>'Troj/Seeker-F' and
>Sophos claimed to have deleted the files.  However, his browser was now
>redirected to an html file on his local machine and attempting to browse
>to anything else brought up full-screen popups advertising software for
>wiping evidence from your computer that could be used by the government to
>convict you of child pornography.
>The machine is now pulled from the network and will likely be wiped soon.
>However, I am concerned that there was some additional infection vector at
>the link he tried that was not caught by up to date virus software.
>I have yet to give the link because it is ostensibly a pornographic site.
>So, with that warning, anyone who is curious can check out
>I have not examined the html coming from that URL.  I've been looking at
>the various processes and they look like a variant of AGOBOT.  I see that
>Sophos has updated their virus definitions for numerous AGOBOT variants
>this morning, but I believe we have that update.
>Tim Rushing
>Holland Company
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Get a FREE online computer virus scan from McAfee when you click here. 

More information about the list mailing list