The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.p can be found here:
The generic description of Agobot can be found here:
The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.
Detailed information and patches are available from the following pages:
RPC/DCOM (MS03-026, fixed by MS03-039):
The neccessary patches can be downloaded from the pages above under the "Patch availability" section.
F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
There are some differences between P and Q variants of the backdoor:
The Agobot.q variant copies itself as IEXPLORER.EXE and WINHLPP32.EXE files to an infected system.
Agobot.q has a bit different list of other malware processes that it tries to terminate:
tftpd.exe dllhost.exe winppr32.exe mspatch.exe penis32.exe msblast.exe scvhosl.exe