1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Backdoor:W32/Agobot

Backdoor:W32/Agobot

Name : Backdoor:W32/Agobot
Category:Malware
Type:Backdoor
Platform:W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.

Disinfection

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:


Manual Disinfection

Caution: Manual disinfection is a risky process; it is only recommended for advanced users.

Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.

Additional Details

Agobot is an IRC-controlled backdoor with network spreading capabilities.

When spreading it can exploit several vulnerabilities:

  •  RPC/DCOM (MS03-026)
  •  RPC/Locator (MS03-001)
  • WebDAV (MS03-007)

RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically.

Other spreading methods like the WebDAV exploit can be activated through IRC commands.


Variant:Agobot.AX

This backdoor variant is functionaly similar to the previous variants, but it is more powerful than earlier versions. The description of Agobot.AX is available here: http://www.f-secure.com/v-descs/agobot_ax.shtml


Variant:Agobot.F

The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The description of Agobot.f can be found here: http://www.f-secure.com/v-descs/agobot_f.shtml


Variant:Agobot.P

The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of Agobot.p can be found here: http://www.f-secure.com/v-descs/agobot_p.shtml


Variant:Agobot.Q

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.q can be found here: http://www.f-secure.com/v-descs/agobot_q.shtml