F-Secure
Tools
Backdoor:W32/Agobot
Summary
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Disinfection
F-Secure Anti-Virus can disinfect a computer infected with Agobot automatically by renaming the backdoor's file. A computer has to be restarted to complete disinfection.
Special Disinfection Utility
F-Secure provides the special disinfection utility to eliminate Agobot backdoor infection. You can download this utility from our ftp site:
The unpacked version is available here:
Disinfection instructions can be found here:
Manual Disinfection
Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.
If the infection is in a local network, please see Removal Instructions.
Special Disinfection Utility
F-Secure provides the special disinfection utility to eliminate Agobot backdoor infection. You can download this utility from our ftp site:
- http://www.f-secure.com/tools/f-bot.zip
- ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip
The unpacked version is available here:
- http://www.f-secure.com/tools/f-bot.exe
- ftp://ftp.f-secure.com/anti-virus/tools/f-bot.exe
Disinfection instructions can be found here:
- http://www.f-secure.com/tools/f-bot.txt
- ftp://ftp.f-secure.com/anti-virus/tools/f-bot.txt
Manual Disinfection
Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.
If the infection is in a local network, please see Removal Instructions.
Additional Details
Agobot is an IRC-controlled backdoor with network spreading capabilities.
When spreading it can exploit several vulnerabilities:
RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically.
Other spreading methods like the WebDAV exploit can be activated through IRC commands.
When spreading it can exploit several vulnerabilities:
- RPC/DCOM (MS03-026)
- RPC/Locator (MS03-001)
- WebDAV (MS03-007)
RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically.
Other spreading methods like the WebDAV exploit can be activated through IRC commands.
| Variant: | Agobot.F |
The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The description of Agobot.f can be found here: http://www.f-secure.com/v-descs/agobot_f.shtml
| Variant: | Agobot.AX |
This backdoor variant is functionaly similar to the previous variants, but it is more powerful than earlier versions. The description of Agobot.AX is available here: http://www.f-secure.com/v-descs/agobot_ax.shtml
| Variant: | Agobot.P |
The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of Agobot.p can be found here: http://www.f-secure.com/v-descs/agobot_p.shtml
| Variant: | Agobot.Q |
The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.q can be found here: http://www.f-secure.com/v-descs/agobot_q.shtml