Help with Agobot-JX

  • Thread starter Thread starter Nick
  • Start date Start date
N

Nick

Hi, Windows 2000 SP4, Sophos AV (up to date), Agobot-JX.

A machine on our network that hadn't been updating has caught
Agobot-JX and it is spreading around the network by dumping a file in
system32 called winhlpp32.exe which then seems to try and unpack into
wupdate.exe. Sophos detects the virus straight away, but around 10% of
the time, still allows the machine to become infected with registry
changes (hklm/s/m/w/c/run), a changes hosts file and a service running
on the PC.

How is a patched machine with an up to date virus checker still
becoming infected? I understand that it will still get the dropper
file, but it shouldn't then become infected and pass it on.

Any advice?

thanks,
 
Nick said:
Hi, Windows 2000 SP4, Sophos AV (up to date), Agobot-JX.

A machine on our network that hadn't been updating has caught Agobot-JX
and it is spreading around the network by dumping a file in system32
called winhlpp32.exe which then seems to try and unpack into
wupdate.exe. Sophos detects the virus straight away, but around 10% of
the time, still allows the machine to become infected with registry
changes (hklm/s/m/w/c/run), a changes hosts file and a service running
on the PC.

How is a patched machine with an up to date virus checker still becoming
infected? I understand that it will still get the dropper file, but it
shouldn't then become infected and pass it on.
Click to expand...

anti-virus programs cannot prevent network share enumeration as the
process that's doing the infecting isn't actually on the machine that's
getting infected... they can only detect the file after it has been
completely written to the disk and then only when you initiate a system
scan or something tries to access the file (if you have an on-access
scanner deployed)...

i would consider hardening your intranet a little better - most
machines on your network should *not* have access the the system32
directory or in fact most directories except those that are absolutely
necessary (for some as yet undetermined business process that may take
place in your shop) and then only when explicitly configured and only
for the machines/user accounts that are required to have access to
those shares...
 
Back
Top