F-Secure Virus Descriptions : Agobot.Q

[Summary] | [Disinfection] | [Detailed Description] | [Detection]

NAME:	Agobot.Q
ALIAS:	Backdoor.Agobot.3.q, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot

Summary

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.p can be found here:

http://www.europe.f-secure.com/v-descs/agobot_p.shtml

The generic description of Agobot can be found here:

http://www.europe.f-secure.com/v-descs/agobot.shtml

Disinfection

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

http://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.

Back to the Top

Detailed Description

There are some differences between P and Q variants of the backdoor:

The Agobot.q variant copies itself as IEXPLORER.EXE and WINHLPP32.EXE files to an infected system.

Agobot.q has a bit different list of other malware processes that it tries to terminate:

 tftpd.exe
 dllhost.exe
 winppr32.exe
 mspatch.exe
 penis32.exe
 msblast.exe
 scvhosl.exe

Back to the Top

Detection

Detection for Agobot.q variant was published on 15th of October, 2003 in update:

[FSAV_Database_Version]

Version=2003-10-15_02

Back to the Top

Technical Details: Alexey Podrezov; October 17th, 2003;

Description Updated: Alexey Podrezov, November 26th, 2003;

F-Secure Corporation