Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

You are here:ThreatsVirus and threats descriptionsBackdoor:W32/Agobot

Backdoor:W32/Agobot


Aliases:

Backdoor:W32/Agobot

Malware
Backdoor
W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.For more general information on disinfection, please see Removal Instructions.


Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.


Manual Disinfection

Caution: Manual disinfection is a risky process; it is recommended only for advanced users.

Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.



Technical Details

Agobot is an IRC-controlled backdoor with network spreading capabilities.

When spreading it can exploit several vulnerabilities:

  • RPC/DCOM (MS03-026)
  • RPC/Locator (MS03-001)
  • WebDAV (MS03-007)

RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically.

Other spreading methods like the WebDAV exploit can be activated through IRC commands.


Variant:Agobot.F

The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The description of Agobot.f can be found here: http://www.f-secure.com/v-descs/agobot_f.shtml


Variant:Agobot.AX

This backdoor variant is functionaly similar to the previous variants, but it is more powerful than earlier versions. The description of Agobot.AX is available here: http://www.f-secure.com/v-descs/agobot_ax.shtml


Variant:Agobot.P

The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of Agobot.p can be found here: http://www.f-secure.com/v-descs/agobot_p.shtml


Variant:Agobot.Q

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.q can be found here: http://www.f-secure.com/v-descs/agobot_q.shtml









Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)



Submit

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.



Go to Community