Updated: Agobot-AA worms round Instant Messaging

By Alun Williams

Posted on 23 Oct 2003 at 11:37

A new Internet worm is posing a computer security threat - Agobot-AA. The anti-virus specialist Sophos says it has already received several reports of the worm out in the wider world, in the wild.

Using similar techniques to the Randex threat we covered at the start of the week - In the wake of Donk-D, comes the Randex worms - the worm tries to spread over remote IRC (Internet Relay Chat) channels, which underpin instant messaging.

Furthermore, with its backdoor trojan capabilities, it potentially allows a remote attacker to control an infected computer. The worm is also capable of copying itself across a local network by guessing passwords, so common 'weak' passwords will be vulnerable to the worm's advance. If you you are still using passwords such as 'letmein','password' or '12345657' it is time to change....

An indication of Agobot's presence is that it copies itself to the Windows/system folder as Lsas.exe.

According to Graham Cluley, Senior Technology Consultant at Sophos, there is an increasing interest among virus writers in IRC technology. He emphasises that even with a firewall installed, users may configure it to let their chat sesssions through and that this open door then leaves a vulnerability to such attacks.

It seems a greater public awareness of security issues is still required. Perhaps the message is getting across that extra levels of protection, such as firewalls, are required, but that alone is not enough. Without careful configuration, such defences may only provide a false sense of security. As ever, states Cluley, the simple rule is 'don't run code you are not sure about on your computer'. Otherwise you are leaving yourself vulnerable. 'There are a lot of scumbags out there,' warns Cluley.

More info about Agobot, and a Sophos virus identity file, can be found here.