Agobot is an IRC-controlled backdoor with network spreading
capabilities. When spreading it can exploit several
vulnerabilities:
- RPC/DCOM (MS03-026)
- RPC/Locator (MS03-001)
- WebDAV (MS03-007)
RPC/DCOM and RPC/Locator is used when the worm tries to spread
automatically. Other spreading methods like the WebDAV exploit
can be activated through IRC commands.
Disinfection
F-Secure provides the special disinfection utility to eliminate
Agobot backdoor infection. You can download this utility from our
ftp site:
F-Secure Anti-Virus starting from version 5.40 can disinfect a
computer infected with Agobot automatically by renaming the
backdoor's file. A computer has to be restarted to complete
disinfection.
Manual disinfection for Agobot backdoor requires renaming of an
infected file, usually located in Windows or Windows System
folder and restarting a system. Please note that the backdoor's
file may have read-only, system and hidden attributes, so Windows
Explorer has to be configured to show such files.
If the infection is in a local network, please follow the
instructions on this webpage:
The Agobot.f variant was reported by several customers in the
beginning of September 2003. This backdoor has functionality
similar to previous variants. The description of Agobot.f can
be found here:
The Agobot.p variant was reported by several customers in the
middle of October 2003. This backdoor has functionality similar
to previous variants. The description of Agobot.p can be found
here:
The Agobot.q variant was reported by several customers in the
middle of October 2003. This backdoor is a minor variant of
Agobot.p, so it has very similar features. The description
of Agobot.q can be found here:
This backdoor variant is functionaly similar to the previous variants,
but it is more powerful than earlier versions. The description of
Agobot.AX is available here:
