F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Agobot

[Summary] | [Disinfection]



NAME:Agobot
ALIAS:Backdoor.Agobot, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot
ALIAS:Backdoor.Agobot.3.gen

Summary

Agobot is an IRC-controlled backdoor with network spreading capabilities. When spreading it can exploit several vulnerabilities:

- RPC/DCOM (MS03-026)

- RPC/Locator (MS03-001)

- WebDAV (MS03-007)

RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically. Other spreading methods like the WebDAV exploit can be activated through IRC commands.

Disinfection

F-Secure provides the special disinfection utility to eliminate Agobot backdoor infection. You can download this utility from our ftp site:

http://www.f-secure.com/tools/f-bot.zip

ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip

The unpacked version is available here:

http://www.f-secure.com/tools/f-bot.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bot.exe

Disinfection instructions can be found here:

http://www.f-secure.com/tools/f-bot.txt

ftp://ftp.f-secure.com/anti-virus/tools/f-bot.txt

F-Secure Anti-Virus starting from version 5.40 can disinfect a computer infected with Agobot automatically by renaming the backdoor's file. A computer has to be restarted to complete disinfection.

Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.

If the infection is in a local network, please follow the instructions on this webpage:

http://www.f-secure.com/v-descs/netdisinf.shtml

Back to the Top


VARIANT:Agobot.F

The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The description of Agobot.f can be found here:

http://www.f-secure.com/v-descs/agobot_f.shtml

VARIANT:Agobot.P

The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of Agobot.p can be found here:

http://www.f-secure.com/v-descs/agobot_p.shtml

VARIANT:Agobot.Q

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.q can be found here:

http://www.f-secure.com/v-descs/agobot_q.shtml

VARIANT:Agobot.AX

This backdoor variant is functionaly similar to the previous variants, but it is more powerful than earlier versions. The description of Agobot.AX is available here:

http://www.f-secure.com/v-descs/agobot_ax.shtml

Write-up: Gergely Erdelyi, Alexey Podrezov, Katrin Tocheva; November 26th, 2003;

Description Updated: Alexey Podrezov, October 21st, 2004;

F-Secure Corporation