Threat description



The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.p can be found here:

The generic description of Agobot can be found here:


The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

RPC/Locator (MS03-001):

WebDAV (MS03-007):

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.

Technical Details

There are some differences between P and Q variants of the backdoor:

The Agobot.q variant copies itself as IEXPLORER.EXE and WINHLPP32.EXE files to an infected system.

Agobot.q has a bit different list of other malware processes that it tries to terminate:

 tftpd.exe  dllhost.exe  winppr32.exe  mspatch.exe  penis32.exe  msblast.exe  scvhosl.exe  

Detection for Agobot.q variant was published on 15th of October, 2003 in update:

Detection Type: PC

Database: 2003-10-15_02

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info