Skip to main content

Choose your country

Backdoor:W32/Agobot.F

Classification

Category:

Malware

Platform:

W32

Type:

Backdoor

Aliases:

  • Agobot.F
  • Backdoor.Agobot.3.f
  • W32.HLLW.Gaobot
  • Gaobot
  • Win32/Gaobot

Summary

The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The generic description of Agobot can be found here:

https://www.f-secure.com/v-descs/agobot

Removal

Technical Details

System infection

When Agobot enters a system first it copies itself to the System Directory using the filename 'scvhost.exe'. This file is then added to the registry as
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Config Loader]
and
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Config Loader]

IRC backdoor

After startup Agobot connects to a predefined IRC server on port 9900. On the server it joins a channel and awaits for further commands.
The IRC interface provides the remote attacker with a set of commands to
- control the bot (IRC name it uses, IRC channel, etc.).
- download and execute arbitrary programs on the computer
- scan for vulnerable hosts and install the worm on them
- perform Distributed Denial of Service (DDoS) attacks
- use the infected as a TCP proxy
- steal CD keys of games

Network propagation

Agobot has several different methods to spread through the network.
The RPC/DCOM and RPC/Locator vulnerability based spreading routines are enabled by default. The worm starts to scan for vulnerable hosts with these upon execution.
Using these exploits Agobot scans random IP addresses. If it can successfully penetrate a host it downloads itself there. The download comes from the attacker host from a random port where the worm runs a simple server that responds with the worm as an answer when connected. The worm is copied to a file on the remote host to a file called 'winhlpp32.exe' and started.
Other method of spreading uses the WebDAV (MS03-007) vulnerability to copy the worm to the remote host.
To propagate in local area networks Agobot has a separate routine that connect to Windows computers and tries to copy itself using the Administrator account trying with different trivial passwords. The worm has the translated names for administrator (eg. Administrateur) and a list of insecure passwords like 'password', 'xyz' etc.

Protect your devices from malware with F‑Secure Total

Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award‑winning antivirus and malware protection
  • Online browsing, banking, and shopping protection
  • 24/7 online identity and data breach monitoring
  • Unlimited VPN service to safe­guard your privacy
  • Password manager with private data protection

Choose how many devices you want to protect to get started.

  • Free customer support
  • Cancel anytime
  • The trial does not obligate you to buy the product
Try Total 30 days for free

After 30 days your subscription will renew automatically for one year at €69.99.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.