F-Secure Virus Descriptions : Agobot.FO

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "nVidia Chip4" = "nvchip4.exe"

 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "nVidia Chip4" = "nvchip4.exe"

This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.

Creating an IRC bot

The backdoor is controlled via an IRC bot, that is created on a certain IRC server in a specific channel when the backdoor's file is active. The following oprerations can be performed with via a bot:

 * display bot info
 * terminate bot
 * resolve host/ip by DNS
 * start an executable file
 * display current bot ID
 * change a nickname of a bot
 * open any file
 * remove bot
 * remove bot if it doesn't match certain criteria
 * generate random name for a bot
 * get bot status
 * display system info
 * check bot's uptime
 * quit the bot
 * flush bot's DNS cache
 * delete shares and disable DCOM
 * re-create shares and enable DCOM
 * run a command on a system
 * repeat the last action
 * enable or disable shell handler
 * list all available commands
 * redirect HTTPS traffic
 * redirect HTTP traffic
 * redirect traffic on certian sockets
 * load a plugin (unloading is not supported yet)
 * change IRC server that the bot connects to
 * reconned to IRC server
 * send a raw message to IRC server
 * send a private message
 * part a channel
 * print network info
 * change channel mode
 * gets host info
 * join a specified channel
 * checks if working from .edu domain
 * disconnect from IRC
 * enable sniffers (http, ftp, irc, bot)
 * spam AOL channel
 * enable IdentD server
 * save/load configuration settings to a file
 * accesses certain variables in configuration file
 * enable/disable starting as a service
 * adds/deletes autostart key in the Registry
 * execute command if certain conditions are met
 * download and execute a file from an ftp server
 * update the bot from an ftp server
 * download a file from ftp server
 * update the bot from http server
 * download a file from http server
 * visit a specified URL
 * log off current user
 * shutdown a computer
 * reboot a computer
 * kill specified process
 * list all processes

Scanning for vulnerable computers

The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).

Performing a DDoS attack

The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:

 * HTTP flood
 * SYN flood
 * UDP flood
 * ICMP flood

When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.

The backdoor sends 256000 bytes of random data to the following websites and checks the response times:

 www.schlund.net
 www.utwente.nl
 www.xo.net
 www.stanford.edu
 www.lib.nthu.edu.tw
 www.st.lib.keio.ac.jp

Collecting e-mail addresses

The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.

Obtainint Registry info

The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.

Spreading to local network

Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:

 admin$
 c$
 d$
 e$
 print$
 c

Agobot.FO tries to connect using the following account names:

 Administrator
 Administrateur
 Coordinatore
 Administrador
 Verwalter
 Ospite
 kanri
 kanri-sha
 admin
 administrator
 Default
 Convidado
 mgmt
 Standard
 User
 Administrator
 administrador
 Owner
 user
 server
 Test
 Guest
 Gast
 Inviter
 a
 aaa
 abc
 x
 xyz
 Dell
 home
 pc
 test
 temp
 win
 asdf
 qwer
 OEM
 root
 wwwadmin
 login
 owner
 mary
 admins
 computer
 xp
 OWNER
 mysql
 database
 teacher
 student

When connecting, Agobot.FO uses the following passwords:

 103015
 admin
 Admin
 password
 Password
 1
 12
 123
 1234
 !@#$
 asdfgh
 !@#$%
 !@#$%^
 !@#$%^&
 !@#$%^&*
 WindowsXP
 windows2k
 windowsME
 windows98
 windoze
 hax
 dude
 owned
 lol
 ADMINISTRATOR
 rooted
 noob
 TEMP
 share
 r00t
 ROOT
 TEST
 SYSTEM
 LOCAL
 SERVER
 ACCESS
 BACKUP
 computer
 fucked
 gay
 idiot
 Internet
 test
 2003
 2004
 backdoor
 whore
 wh0re
 CNN
 pwned
 own
 crash
 passwd
 PASSWD
 devil
 linux
 UNIX
 feds
 fish
 changeme
 ASP
 PHP
 666
 BOX
 Box
 box
 12345
 123456
 1234567
 12345678
 123456789
 654321
 54321
 111
 000000
 00000000
 11111111
 88888888
 pass
 passwd
 database
 abcd
 oracle
 sybase
 123qwe
 server
 computer
 Internet
 super
 123asd
 ihavenopass
 godblessyou
 enable
 xp
 2002
 2003
 2600
 0
 110
 111111
 121212
 123123
 1234qwer
 123abc
 007
 alpha
 patrick
 pat
 administrator
 root
 sex
 god
 foobar
 a
 aaa
 abc
 test
 temp
 win
 pc
 asdf
 secret
 qwer
 yxcv
 zxcv
 home
 xxx
 owner
 login
 Login
 Coordinatore
 Administrador
 Verwalter
 Ospite
 administrator
 Default
 administrador
 admins
 teacher
 student
 superman
 supersecret
 kids
 penis
 wwwadmin
 database
 changeme
 test123
 user
 private
 69
 root
 654321
 xxyyzz
 asdfghjkl
 mybaby
 vagina
 pussy
 leet
 metal
 work
 school
 mybox
 box
 werty
 baby
 porn
 homework
 secrets
 x
 z
 qwertyuiop
 secret
 Administrateur
 abc123
 password123
 red123
 qwerty
 admin123
 zxcvbnm
 poiuytrewq
 pwd
 pass
 love
 mypc
 mypass
 pw

If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.

Teminating processes of security and anti-virus programs

Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:

 _AVPM.EXE
 _AVPCC.EXE
 _AVP32.EXE
 ZONEALARM.EXE
 ZONALM2601.EXE
 ZATUTOR.EXE
 ZAPSETUP3001.EXE
 ZAPRO.EXE
 XPF202EN.EXE
 WYVERNWORKSFIREWALL.EXE
 WUPDT.EXE
 WUPDATER.EXE
 WSBGATE.EXE
 WRCTRL.EXE
 WRADMIN.EXE
 WNT.EXE
 WNAD.EXE
 WKUFIND.EXE
 WINUPDATE.EXE
 WINTSK32.EXE
 WINSTART001.EXE
 WINSTART.EXE
 WINSSK32.EXE
 WINSERVN.EXE
 WINRECON.EXE
 WINPPR32.EXE
 WINNET.EXE
 WINMAIN.EXE
 WINLOGIN.EXE
 WININITX.EXE
 WININIT.EXE
 WININETD.EXE
 WINDOWS.EXE
 WINDOW.EXE
 WINACTIVE.EXE
 WIN32US.EXE
 WIN32.EXE
 WIN-BUGSFIX.EXE
 WIMMUN32.EXE
 WHOSWATCHINGME.EXE
 WGFE95.EXE
 WFINDV32.EXE
 WEBTRAP.EXE
 WEBSCANX.EXE
 WEBDAV.EXE
 WATCHDOG.EXE
 W9X.EXE
 W32DSM89.EXE
 VSWINPERSE.EXE
 VSWINNTSE.EXE
 VSWIN9XE.EXE
 VSSTAT.EXE
 VSMON.EXE
 VSMAIN.EXE
 VSISETUP.EXE
 VSHWIN32.EXE
 VSECOMR.EXE
 VSCHED.EXE
 VSCENU6.02D30.EXE
 VSCAN40.EXE
 VPTRAY.EXE
 VPFW30S.EXE
 VPC42.EXE
 VPC32.EXE
 VNPC3000.EXE
 VNLAN300.EXE
 VIRUSMDPERSONALFIREWALL.EXE
 VIR-HELP.EXE
 VFSETUP.EXE
 VETTRAY.EXE
 VET95.EXE
 VET32.EXE
 VCSETUP.EXE
 VBWINNTW.EXE
 VBWIN9X.EXE
 VBUST.EXE
 VBCONS.EXE
 VBCMSERV.EXE
 UTPOST.EXE
 UPGRAD.EXE
 UPDAT.EXE
 UNDOBOOT.EXE
 TVTMD.EXE
 TVMD.EXE
 TSADBOT.EXE
 TROJANTRAP3.EXE
 TRJSETUP.EXE
 TRJSCAN.EXE
 TRICKLER.EXE
 TRACERT.EXE
 TITANINXP.EXE
 TITANIN.EXE
 TGBOB.EXE
 TFAK5.EXE
 TFAK.EXE
 TEEKIDS.EXE
 TDS2-NT.EXE
 TDS2-98.EXE
 TDS-3.EXE
 TCM.EXE
 TCA.EXE
 TC.EXE
 TBSCAN.EXE
 TAUMON.EXE
 TASKMON.EXE
 TASKMO.EXE
 TASKMG.EXE
 SYSUPD.EXE
 SYSTEM32.EXE
 SYSTEM.EXE
 SYSEDIT.EXE
 SYMTRAY.EXE
 SYMPROXYSVC.EXE
 SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
 SWEEP95.EXE
 SVSHOST.EXE
 SVCHOSTS.EXE
 SVCHOSTC.EXE
 SVC.EXE
 SUPPORTER5.EXE
 SUPPORT.EXE
 SUPFTRL.EXE
 STCLOADER.EXE
 START.EXE
 ST2.EXE
 SSG_4104.EXE
 SSGRATE.EXE
 SS3EDIT.EXE
 SRNG.EXE
 SREXE.EXE
 SPYXX.EXE
 SPOOLSV32.EXE
 SPOOLCV.EXE
 SPOLER.EXE
 SPHINX.EXE
 SPF.EXE
 SPERM.EXE
 SOFI.EXE
 UPDATE.EXE
 SOAP.EXE
 SMSS32.EXE
 SMS.EXE
 SMC.EXE
 SHOWBEHIND.EXE
 SHN.EXE
 SHELLSPYINSTALL.EXE
 SH.EXE
 SGSSFW32.EXE
 SFC.EXE
 SETUP_FLOWPROTECTOR_US.EXE
 SETUPVAMEEVAL.EXE
 SERVLCES.EXE
 SERVLCE.EXE
 SERVICE.EXE
 SERV95.EXE
 SD.EXE
 SCVHOST.EXE
 SCRSVR.EXE
 SCRSCAN.EXE
 SCANPM.EXE
 SCAN95.EXE
 SCAN32.EXE
 SCAM32.EXE
 SC.EXE
 SBSERV.EXE
 SAVENOW.EXE
 SAVE.EXE
 SAHAGENT.EXE
 SAFEWEB.EXE
 RUXDLL32.EXE
 RUNDLL16.EXE
 RUNDLL.EXE
 RUN32DLL.EXE
 RULAUNCH.EXE
 RTVSCN95.EXE
 RTVSCAN.EXE
 RSHELL.EXE
 RRGUARD.EXE
 RESCUE32.EXE
 RESCUE.EXE
 REGEDT32.EXE
 REGEDIT.EXE
 REGED.EXE
 REALMON.EXE
 RCSYNC.EXE
 RB32.EXE
 RAY.EXE
 RAV8WIN32ENG.EXE
 RAV7WIN.EXE
 RAV7.EXE
 RAPAPP.EXE
 QSERVER.EXE
 QCONSOLE.EXE
 PVIEW95.EXE
 PUSSY.EXE
 PURGE.EXE
 PSPF.EXE
 PROTECTX.EXE
 PROPORT.EXE
 PROGRAMAUDITOR.EXE
 PROCEXPLORERV1.0.EXE
 PROCESSMONITOR.EXE
 PROCDUMP.EXE
 PRMVR.EXE
 PRMT.EXE
 PRIZESURFER.EXE
 PPVSTOP.EXE
 PPTBC.EXE
 PPINUPDT.EXE
 POWERSCAN.EXE
 PORTMONITOR.EXE
 PORTDETECTIVE.EXE
 POPSCAN.EXE
 POPROXY.EXE
 POP3TRAP.EXE
 PLATIN.EXE
 PINGSCAN.EXE
 PGMONITR.EXE
 PFWADMIN.EXE
 PF2.EXE
 PERSWF.EXE
 PERSFW.EXE
 PERISCOPE.EXE
 PENIS.EXE
 PDSETUP.EXE
 PCSCAN.EXE
 PCIP10117_0.EXE
 PCFWALLICON.EXE
 PCDSETUP.EXE
 PCCWIN98.EXE
 PCCWIN97.EXE
 PCCNTMON.EXE
 PCCIOMON.EXE
 PCC2K_76_1436.EXE
 PCC2002S902.EXE
 PAVW.EXE
 PAVSCHED.EXE
 PAVPROXY.EXE
 PAVCL.EXE
 PATCH.EXE
 PANIXK.EXE
 PADMIN.EXE
 OUTPOSTPROINSTALL.EXE
 OUTPOSTINSTALL.EXE
 OTFIX.EXE
 OSTRONET.EXE
 OPTIMIZE.EXE
 ONSRVR.EXE
 OLLYDBG.EXE
 NWTOOL16.EXE
 NWSERVICE.EXE
 NWINST4.EXE
 NVSVC32.EXE
 NVC95.EXE
 NVARCH16.EXE
 NUI.EXE
 NTXconfig.EXE
 NTVDM.EXE
 NTRTSCAN.EXE
 NT.EXE
 NSUPDATE.EXE
 NSTASK32.EXE
 NSSYS32.EXE
 NSCHED32.EXE
 NPSSVC.EXE
 NPSCHECK.EXE
 NPROTECT.EXE
 NPFMESSENGER.EXE
 NPF40_TW_98_NT_ME_2K.EXE
 NOTSTART.EXE
 NORTON_INTERNET_SECU_3.0_407.EXE
 NORMIST.EXE
 NOD32.EXE
 NMAIN.EXE
 NISUM.EXE
 NISSERV.EXE
 NETUTILS.EXE
 NETSTAT.EXE
 NETSPYHUNTER-1.2.EXE
 NETSCANPRO.EXE
 NETMON.EXE
 NETINFO.EXE
 NETD32.EXE
 NETARMOR.EXE
 NEOWATCHLOG.EXE
 NEOMONITOR.EXE
 NDD32.EXE
 NCINST4.EXE
 NC2000.EXE
 NAVWNT.EXE
 NAVW32.EXE
 NAVSTUB.EXE
 NAVNT.EXE
 NAVLU32.EXE
 NAVENGNAVEX15.NAVLU32.EXE
 OUTPOST.EXE
 NUPGRADE.EXE
 NAVDX.EXE
 NAVAPW32.EXE
 NAVAPSVC.EXE
 NAVAP.NAVAPSVC.EXE
 AUTO-PROTECT.NAV80TRY.EXE
 NAV.EXE
 N32SCANW.EXE
 MWATCH.EXE
 MU0311AD.EXE
 MSVXD.EXE
 MSSYS.EXE
 MSSMMC32.EXE
 MSMSGRI32.EXE
 MSMGT.EXE
 MSLAUGH.EXE
 MSINFO32.EXE
 MSIEXEC16.EXE
 MSDOS.EXE
 MSDM.EXE
 MSCONFIG.EXE
 MSCMAN.EXE
 MSCCN32.EXE
 MSCACHE.EXE
 MSBLAST.EXE
 MSBB.EXE
 MSAPP.EXE
 MRFLUX.EXE
 MPFTRAY.EXE
 MPFSERVICE.EXE
 MPFAGENT.EXE
 MOSTAT.EXE
 MOOLIVE.EXE
 MONITOR.EXE
 MMOD.EXE
 MINILOG.EXE
 MGUI.EXE
 MGHTML.EXE
 MGAVRTE.EXE
 MGAVRTCL.EXE
 MFWENG3.02D30.EXE
 MFW2EN.EXE
 MFIN32.EXE
 MD.EXE
 MCVSSHLD.EXE
 MCVSRTE.EXE
 MCTOOL.EXE
 MCSHIELD.EXE
 MCMNHDLR.EXE
 MCAGENT.EXE
 MAPISVC32.EXE
 LUSPT.EXE
 LUINIT.EXE
 LUCOMSERVER.EXE
 LUAU.EXE
 LSETUP.EXE
 LORDPE.EXE
 LOOKOUT.EXE
 LOCKDOWN2000.EXE
 LOCKDOWN.EXE
 LOCALNET.EXE
 LOADER.EXE
 LNETINFO.EXE
 LDSCAN.EXE
 LDPROMENU.EXE
 LDPRO.EXE
 LDNETMON.EXE
 LAUNCHER.EXE
 KILLPROCESSSETUP161.EXE
 KERNEL32.EXE
 KERIO-WRP-421-EN-WIN.EXE
 KERIO-WRL-421-EN-WIN.EXE
 KERIO-PF-213-EN-WIN.EXE
 KEENVALUE.EXE
 KAZZA.EXE
 KAVPF.EXE
 MCUPDATE.EXE
 LUALL.EXE
 KAVPERS40ENG.EXE
 KAVLITE40ENG.EXE
 JEDI.EXE
 JDBGMRG.EXE
 JAMMER.EXE
 ISTSVC.EXE
 ISRV95.EXE
 ISASS.EXE
 IRIS.EXE
 IPARMOR.EXE
 IOMON98.EXE
 INTREN.EXE
 INTDEL.EXE
 INIT.EXE
 INFWIN.EXE
 INFUS.EXE
 INETLNFO.EXE
 IFW2000.EXE
 IFACE.EXE
 IEXPLORER.EXE
 IEDRIVER.EXE
 IEDLL.EXE
 IDLE.EXE
 ICSUPPNT.EXE
 ICMON.EXE
 ICLOADNT.EXE
 ICLOAD95.EXE
 IBMAVSP.EXE
 IBMASN.EXE
 IAMSTATS.EXE
 IAMSERV.EXE
 IAMAPP.EXE
 HXIUL.EXE
 HXDL.EXE
 HWPE.EXE
 HTPATCH.EXE
 HTLOG.EXE
 HOTPATCH.EXE
 HOTACTIO.EXE
 HBSRV.EXE
 HBINST.EXE
 HACKTRACERSETUP.EXE
 GUARDDOG.EXE
 GUARD.EXE
 GMT.EXE
 GENERICS.EXE
 GBPOLL.EXE
 GBMENU.EXE
 GATOR.EXE
 FSMB32.EXE
 FSMA32.EXE
 FSM32.EXE
 FSGK32.EXE
 FSAV95.EXE
 FSAV530WTBYB.EXE
 FSAV530STBYB.EXE
 FSAV32.EXE
 FSAV.EXE
 FSAA.EXE
 FRW.EXE
 FPROT.EXE
 FP-WIN_TRIAL.EXE
 FP-WIN.EXE
 FNRB32.EXE
 FLOWPROTECTOR.EXE
 FIREWALL.EXE
 FINDVIRU.EXE
 FIH32.EXE
 FCH32.EXE
 FAST.EXE
 FAMEH32.EXE
 F-STOPW.EXE
 F-PROT95.EXE
 F-PROT.EXE
 F-AGNT95.EXE
 EXPLORE.EXE
 EXPERT.EXE
 EXE.AVXW.EXE
 ICSUPP95.EXE
 EXANTIVIRUS-CNET.EXE
 EVPN.EXE
 ETRUSTCIPE.EXE
 ETHEREAL.EXE
 ESPWATCH.EXE
 ESCANV95.EXE
 ESCANHNT.EXE
 ESCANH95.EXE
 ESAFE.EXE
 ENT.EXE
 EMSW.EXE
 EFPEADM.EXE
 ECENGINE.EXE
 DVP95_0.EXE
 DVP95.EXE
 DSSAGENT.EXE
 DRWEBUPW.EXE
 DRWEB32.EXE
 DRWATSON.EXE
 DPPS2.EXE
 DPFSETUP.EXE
 DPF.EXE
 DOORS.EXE
 DLLREG.EXE
 DLLCACHE.EXE
 DIVX.EXE
 DEPUTY.EXE
 DEFWATCH.EXE
 DEFSCANGUI.EXE
 DEFALERT.EXE
 DCOMX.EXE
 DATEMANAGER.EXE
 Claw95.EXE
 CWNTDWMO.EXE
 CWNB181.EXE
 CV.EXE
 CTRL.EXE
 CPFNT206.EXE
 CPF9X206.EXE
 CPD.EXE
 CONNECTIONMONITOR.EXE
 CMON016.EXE
 CMGRDIAN.EXE
 CMESYS.EXE
 CMD32.EXE
 CLICK.EXE
 CLEANPC.EXE
 CLEANER3.EXE
 CLEANER.EXE
 CLEAN.EXE
 CFINET32.EXE
 CFINET.EXE
 CFIADMIN.EXE
 CFGWIZ.EXE
 CFD.EXE
 CDP.EXE
 CCPXYSVC.EXE
 CCEVTMGR.EXE
 CCAPP.EXE
 BVT.EXE
 BUNDLE.EXE
 BS120.EXE
 BRASIL.EXE
 BPC.EXE
 BORG2.EXE
 BOOTWARN.EXE
 BOOTCONF.EXE
 BLSS.EXE
 BLACKICE.EXE
 BLACKD.EXE
 BISP.EXE
 BIPCPEVALSETUP.EXE
 BIPCP.EXE
 BIDSERVER.EXE
 BIDEF.EXE
 CLAW95CF.EXE
 CFIAUDIT.EXE
 BELT.EXE
 BEAGLE.EXE
 BD_PROFESSIONAL.EXE
 BARGAINS.EXE
 BACKWEB.EXE
 AVXMONITORNT.EXE
 AVXMONITOR9X.EXE
 AVWUPSRV.EXE
 AVWUPD.EXE
 AVWINNT.EXE
 AVWIN95.EXE
 AVSYNMGR.EXE
 AVSCHED32.EXE
 AVPTC32.EXE
 AVPM.EXE
 AVPDOS32.EXE
 AVPCC.EXE
 AVP32.EXE
 AVP.EXE
 AVNT.EXE
 AVLTMAIN.EXE
 AVKWCTl9.EXE
 AVKSERVICE.EXE
 AVKSERV.EXE
 AVKPOP.EXE
 AVGW.EXE
 AVGUARD.EXE
 AVGSERV9.EXE
 AVGSERV.EXE
 AVGNT.EXE
 AVGCTRL.EXE
 AVGCC32.EXE
 AVE32.EXE
 AVCONSOL.EXE
 AU.EXE
 ATWATCH.EXE
 ATRO55EN.EXE
 ATGUARD.EXE
 ATCON.EXE
 ARR.EXE
 APVXDWIN.EXE
 APLICA32.EXE
 APIMONITOR.EXE
 ANTS.EXE
 ANTIVIRUS.EXE
 ANTI-TROJAN.EXE
 AMON9X.EXE
 ALOGSERV.EXE
 ALEVIR.EXE
 ALERTSVC.EXE
 AGENTW.EXE
 AGENTSVR.EXE
 ADVXDWIN.EXE
 ADAWARE.EXE
 ACKWIN32.EXE
 AVXQUAR.EXE
 AVWUPD32.EXE
 AVPUPD.EXE
 AUTOUPDATE.EXE
 AUTOTRACE.EXE
 AUTODOWN.EXE
 AUPDATE.EXE
 ATUPDATER.EXE

This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.

Additionally the backdoor tries to terminate processes that belong to different malware:

 msblast.exe
 penis32.exe
 mspatch.exe
 winppr32.exe
 dllhost.exe
 tftpd.exe

Stealing CD keys and Product IDs

Agobot.FO has the functionality to steal CD keys from the following games:

 Unreal Tournament 2003
 The Gladiators
 Soldiers Of Anarchy
 Shogun Total War: Warlord Edition
 Need For Speed: Underground
 Need For Speed: Hot Pursuit 2
 NHL 2003
 NHL 2002
 Nascar Racing 2003
 Nascar Racing 2002
 Medal of Honor Allied Assault: Spearhead
 Medal of Honor Allied Assault: Breakthrough
 Medal of Honor Allied Assault
 James Bond 007: Nightfire
 Industry Giant 2
 IGI2: Covert Strike
 Hidden And Dangerous 2
 Half-Life
 Gunman Chronicles
 Global Operations
 Freedom Force
 FIFA 2003
 FIFA 2002
 Counter-Strike
 Command and Conquer: Tiberian Sun
 Command and Conquer: Red Alert2
 Command and Conquer: Generals: Zero Hour
 Command and Conquer: Generals
 Black and White
 Battlefield 1942: The Road To Rome
 Battlefield 1942: Secret Weapons Of WWII
 Battlefield 1942

This variant of Agobot also has the functionality to steal Windows Product ID.

Back to the Top

Detection

F-Secure Anti-Virus detects this backdoor as 'Backdoor.Agobot.fo' in the following updates:

[FSAV_Database_Version]

Version=2004-03-09_05

Back to the Top

Technical Details: Alexey Podrezov; March 12th, 2004;

Description Updated: Alexey Podrezov; March 15th, 2004;

F-Secure Corporation