Backdoor:W32/Agobot.Q

Classification

Malware

-

-

Agobot.Q, Backdoor.Agobot.3.q, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot

Summary

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.p can be found here:

https://www.europe.f-secure.com/v-descs/agobot_p.shtml

The generic description of Agobot can be found here:

https://www.europe.f-secure.com/v-descs/agobot.shtml

Removal

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

https://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

https://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

https://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

There are some differences between P and Q variants of the backdoor:

The Agobot.q variant copies itself as IEXPLORER.EXE and WINHLPP32.EXE files to an infected system.

Agobot.q has a bit different list of other malware processes that it tries to terminate:

 tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
scvhosl.exe