Phatbot Computer Virus

Phatbot is an IRC bot with characteristics and functionality similar to Agobot. Only systems running Microsoft Windows have been reported to be infected, however, this malicious code may affect other operating systems. Phatbot can propagate using several methods. It scans for NETBIOS shares and attempts to use common username and password combinations to gain access to the remote machine. Phatbot can also propagate by exploiting unpatched vulnerabilities in the Microsoft Windows operating system including vulnerabilities in WebDAV, DCOM, and the Windows Workstation service.

How Platbot Works:

Once a system is infected, Phatbot will attempt to join an existing IRC channel or P2P network. An attacker can control infected systems by issuing commands to this IRC channel or by sending messages to this P2P network. Phatbot contains an extensive list of commands that provide control over the victim's system. Affected systems allow the remote user to have full access to the file system and the ability to execute arbitrary code on the victim's system. Additionally, Phatbot will attempt to terminate a large number of security related processes (i.e, firewall, anti-virus) and also attempts to terminate instances of other Trojans that have already infected the victim's system (i.e., MSBlast, Welchia, Sobig.F).

Platbot Manual Removal:

Look for the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Generic Service Process

The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.

Also known as Agobot

Phatbot in the News:

Three arrests were made in Germany in connection with the Sasser and Phatbot/Gaobot worms, following information passed on to the police by community members. One of those arrested, a computer science student who turned 18 last month, has confessed to authoring the Sasser and Netsky-AC malicious code - May 2004, Berlin, Germany.

Another 21-year-old from Baden-Wurttemberg, in southern Germany, along with an unknown number of others, were arrested by officers on suspicion of having created the worm known as Phatbot, previously called Agobot - May 2004, Baden-Wurttemberg, Germany.

The Phatbot computer worm was discovered on many Ohio State University computers.  The university network security group shut down approximately 150 users to keep the virus from spreading. By making some changes on our network we have minimized the threat - April 2004, Ohio, USA.