Re: Realplayd.exe = new AGOBOT variant?

From: Br0wnbear (brownbearat_at_canadadotcom.net)
Date: 11/11/04

• Next message: David H. Lipman: "Re: Realplayd.exe = new AGOBOT variant?"
• Previous message: Malke: "Re: Script Blocking-File Object: Create Text File --Juno 5.0 Software?"
• In reply to: Ryrobes: "Realplayd.exe = new AGOBOT variant?"
• Next in thread: David H. Lipman: "Re: Realplayd.exe = new AGOBOT variant?"
• Reply: David H. Lipman: "Re: Realplayd.exe = new AGOBOT variant?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 10 Nov 2004 21:51:18 -0500

On 10 Nov 2004 09:48:42 -0800, erirobitair@yahoo.com (Ryrobes) wrote:

>I have been getting alerts on our network that DOS_AGOBOT.GEN has
>infected some machines - unfortunately our TrendMicro OfficeScan does
>not detect the actual EXE that is doing the job, but only detects the
>crap that the worm appends to the users HOSTS file (redirecting
>anti-virus sites to localhost, etc.)...
>
>The culprit: "realplayd.exe" is about 100k (standard for AGOBOT
>varaints i think), it puts itself into the 'system32' folder as well
>as the root of the 'winnt' folder, usually it CAN be killed and then
>editied OUT of the registry so I won't run again, but all I can see
>damaged is the HOSTS file, has anyone else seen this variant yet?
>
>If it is just a standard re-implementation of one of the AGOBOTs, what
>else should I be doing (besides patching that is)?

Ryrobes

I would submit the file to one of the AV sites for analysis. They will
be able to give you an indepth analysis of the file.

hth
John Brown
"Bears have more fun, we hibern8 alot"

---

• Next message: David H. Lipman: "Re: Realplayd.exe = new AGOBOT variant?"
• Previous message: Malke: "Re: Script Blocking-File Object: Create Text File --Juno 5.0 Software?"
• In reply to: Ryrobes: "Realplayd.exe = new AGOBOT variant?"
• Next in thread: David H. Lipman: "Re: Realplayd.exe = new AGOBOT variant?"
• Reply: David H. Lipman: "Re: Realplayd.exe = new AGOBOT variant?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Internet Explorer Favorites ... >i cant find them in the folder, ... AdAware, CWShredder, and Spybot S&D have install routines - run them. ... Spyware Warrior: ... Block possibly dangerous websites with a Hosts file. ... (microsoft.public.windowsxp.network_web) Re: cant access localhost or 127.0.0.1 ... Well localhost is determined in the hosts file. ... and can view the gif files located in the default web folder. ... >> Have you checked that your IIS Service is actually running? ... (microsoft.public.inetserver.iis) Re: Getting rid of residual adware/spyware elements ... Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file ... > deleting the Temp folder. ... > Ok, I did the deltree option and deleted the History, Temp, and TIF ... >> Restart in Ms-Dos Mode ... (microsoft.public.security.virus) RE: Error 80240030 ... In the General tab, click Delete Cookies, Delete Files. ... this folder. ... If a HOSTS file with no extension is found, rename it to HOSTS.OLD. ... (microsoft.public.windowsupdate) Re: Cannot access a web page ... "Vicky" wrote in message ... Try changing all your promptable security settings to Prompt ... >> folder size to about 50MB and clear it occasionally. ... >> See if skype is in your HOSTS file. ... (microsoft.public.windows.inetexplorer.ie6.browser)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security.virus  > 2004-11