AL vs Agobot.T

[gm_al]

A few days ago someone from the office called me and told me he had infected his PC with a new worm virus. He described me the symptoms, and I tried to give him some help.

Yesterday I started noticing some strange behaviour of my PC, like sudden shutdowns etc. I ran my virus tests but couldnt find anything.

When I started up my computer today, I got EXACTLY the same alarms my colleague had a few days ago. I was alarmed - and for good reason.

- the firewall was taken out and i couldnt start it
- the virus scan brought NO results, however other scanners could NOT be installed (the install routines were just cut off !)
- I knew the virus was in memory. The infected (primary) file was one called SCVHOST.EXE The tricky thing is that you have a system process that is called very similar, namely SVCHOST.EXE

So I knew I had some worm virus, but how to get rid of it ? This one even survives re-formatting your drive I was told (through the bootlblock) ! It scans for active anti-virus software and disables it. It avoids that firewalls block him to get into the net. He stays in the registry and activates himself again even if you think you have killed and erased it. Its a tricky bastard, and a destructive one too.

I had a hard time trying all kinds of things, but then I remembered an old trick Id like to share here with you. SCAN ONLINE !

Go to

http://www.trendmicro.com

and scan your hard drive ONLINE and for FREE. The virus cant avoid that.

This one immediately told me the name of the intruder: WORM_AGOBOT.T - he had entered through a backdoor and i had only missed ONE online update patch for my Win XP recently. Thanks to the guys at TrendMicro I now knew what to do, as they give very precise informations and details on how to get rid of it.

3 hours later it seems I was able to avoid desaster:
- the registry is clean again
- the memory scans and HD scans with FOUR freshly installed scanners show no more results
- firewall is up and happily running again
- I installed all latest available patches needed (for those of you interested: the REMOTE patch -029 is the one you will need against worms)

Id like to invite you all to go and test the online scan - you might be in for some bad surprises. Remember that I had a firewall AND a resident virusscanner and that worm tricked out both and installed himself without me having downloaded any 'dangerous' files....

I learned my lesson ! Plz report your scan results here, Id like to see them.

[Donut]

Hey Al,

No I'll first start off by saying that I am one of the last persons to come to for complicate computer crap but...

Our school network was all but killed for the last 2 weeks because of, if not the same, a similar virus(worm_randex.q). Luckily(don't know how or why) our school network uses Trend Officescan for virus software and it ended up being a fairly simple fix.

Good thing our help services are so good...(*Please note the HEAVY sarcasm here; as they LOST my computer when I went to have it repaired*) It only took two weeks for EVERYONE on campus to scan there computer. Those who didn't had there ports shut off
Finally everything is back to normal, awaiting the next disaster... GO MSOE!!!

Donut