1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Backdoor:W32/Agobot

Name : Backdoor:W32/Agobot
Category:Malware
Type:Backdoor
Platform:W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.

Disinfection

F-Secure Anti-Virus can disinfect a computer infected with Agobot automatically by renaming the backdoor's file. A computer has to be restarted to complete disinfection.

Special Disinfection Utility

F-Secure provides the special disinfection utility to eliminate Agobot backdoor infection. You can download this utility from our ftp site:

  •  http://www.f-secure.com/tools/f-bot.zip
  •  ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip

The unpacked version is available here:

  •  http://www.f-secure.com/tools/f-bot.exe
  •  ftp://ftp.f-secure.com/anti-virus/tools/f-bot.exe

Disinfection instructions can be found here:

  •  http://www.f-secure.com/tools/f-bot.txt
  •  ftp://ftp.f-secure.com/anti-virus/tools/f-bot.txt

Manual Disinfection

Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.

If the infection is in a local network, please see Removal Instructions.

Additional Details

Agobot is an IRC-controlled backdoor with network spreading capabilities.

When spreading it can exploit several vulnerabilities:

  •  RPC/DCOM (MS03-026)
  •   RPC/Locator (MS03-001)
  •  WebDAV (MS03-007)

RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically.

Other spreading methods like the WebDAV exploit can be activated through IRC commands.


Variant:Agobot.F
Description:
The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The description of Agobot.f can be found here: http://www.f-secure.com/v-descs/agobot_f.shtml


Variant:Agobot.AX
Description:
This backdoor variant is functionaly similar to the previous variants, but it is more powerful than earlier versions. The description of Agobot.AX is available here: http://www.f-secure.com/v-descs/agobot_ax.shtml


Variant:Agobot.P
Description:
The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of Agobot.p can be found here: http://www.f-secure.com/v-descs/agobot_p.shtml


Variant:Agobot.Q
Description:
The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.q can be found here: http://www.f-secure.com/v-descs/agobot_q.shtml