Threat Description

Backdoor:​W32/​Agobot

Details

Aliases: Backdoor:W32/Agobot
Category: Malware
Type: Backdoor
Platform: W32

Summary


A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Network Disinfection

For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.

Manual Disinfection

Caution: Manual disinfection is a risky process; it is recommended only for advanced users.

Manual disinfection for Agobot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.



Technical Details


Agobot is an IRC-controlled backdoor with network spreading capabilities.

When spreading it can exploit several vulnerabilities:

  • RPC/DCOM (MS03-026)
  • RPC/Locator (MS03-001)
  • WebDAV (MS03-007)

RPC/DCOM and RPC/Locator is used when the worm tries to spread automatically.

Other spreading methods like the WebDAV exploit can be activated through IRC commands.


Variant:Agobot.F

The Agobot.f variant was reported by several customers in the beginning of September 2003. This backdoor has functionality similar to previous variants. The description of Agobot.f can be found here: http://www.f-secure.com/v-descs/agobot_f.shtml


Variant:Agobot.AX

This backdoor variant is functionaly similar to the previous variants, but it is more powerful than earlier versions. The description of Agobot.AX is available here: http://www.f-secure.com/v-descs/agobot_ax.shtml


Variant:Agobot.P

The Agobot.p variant was reported by several customers in the middle of October 2003. This backdoor has functionality similar to previous variants. The description of Agobot.p can be found here: http://www.f-secure.com/v-descs/agobot_p.shtml


Variant:Agobot.Q

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.q can be found here: http://www.f-secure.com/v-descs/agobot_q.shtml






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More