Home > Threat descriptions >

Agobot.Q

Classification

Category: Malware

Type: -

Aliases: Agobot.Q, Backdoor.Agobot.3.q, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot

Summary


The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.p can be found here:

https://www.europe.f-secure.com/v-descs/agobot_p.shtml

The generic description of Agobot can be found here:

https://www.europe.f-secure.com/v-descs/agobot.shtml

Removal


The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

https://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

https://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

https://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


There are some differences between P and Q variants of the backdoor:

The Agobot.q variant copies itself as IEXPLORER.EXE and WINHLPP32.EXE files to an infected system.

Agobot.q has a bit different list of other malware processes that it tries to terminate:

 tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
scvhosl.exe