Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/Agobot


Aliases:


Backdoor:W32/Agobot

Malware
Backdoor
W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.For more general information on disinfection, please see Removal Instructions.


Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.


Manual Disinfection

Caution: Manual disinfection is a risky process; it is recommended only for advanced users.

Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.



Technical Details

Agobot is an IRC-controlled backdoor with network spreading capabilities.

When spreading it can exploit several vulnerabilities:

  • RPC/DCOM (MS03-026)
  • RPC/Locator (MS03-001)
  • WebDAV (MS03-007)

RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically.

Other spreading methods like the WebDAV exploit can be activated through IRC commands.


Variant:Agobot.F

The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The description of Agobot.f can be found here: http://www.f-secure.com/v-descs/agobot_f.shtml


Variant:Agobot.AX

This backdoor variant is functionaly similar to the previous variants, but it is more powerful than earlier versions. The description of Agobot.AX is available here: http://www.f-secure.com/v-descs/agobot_ax.shtml


Variant:Agobot.P

The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of Agobot.p can be found here: http://www.f-secure.com/v-descs/agobot_p.shtml


Variant:Agobot.Q

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.q can be found here: http://www.f-secure.com/v-descs/agobot_q.shtml







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free