W32/Agobot-MW is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
W32/Agobot-MW attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-MW then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites.
When first run W32/Agobot-MW copies itself to the Windows system folder as wintel.exe and creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Telnet Server
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Telnet Server
Sophos anti-virus products since version 3.85 have been capable of detecting this worm as W32/Agobot-Fam without requiring an update.