W32/Agobot-VB is a backdoor Trojan and worm which spreads to computers
protected by weak passwords.
When first run, W32/Agobot-VB copies itself to the Windows system folder as
uu.exe and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\yx=uu.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\yx=uu.exe
The Trojan runs continuously in the background providing backdoor access to
the computer.
The Trojan attempts to terminate and disable various anti-virus and security
related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus
websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites.
W32/Agobot-VB queries the following websites to test internet connectivity:
www.microsoft.com
www.level3.com
www.nifty.com
www.akamai.com
www.ryan1918.org
www.ryan1918.net
www.google.com
de.yahoo.com
www.xo.net
www.lib.nthu.edu.tw
www.belwue.de
e.yotta-byte.net