W32/Agobot-AHZ

Category: Viruses and Spyware Protection available since:19 Apr 2007 00:00:00 (GMT)
Type: Win32 worm Last Updated:19 Apr 2007 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Agobot-AHZ is a worm with backdoor functionality which allows a remote intruder to gain access and control over the computer.

W32/Agobot-AHZ is a worm with backdoor functionality which allows a remote intruder to gain access and control over the computer.

W32/Agobot-AHZ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including:

LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049) (CAN-2003-0812)
WebDav (MS03-007)
UPNP (MS01-059)
Dameware (CAN-2003-1030)

When first run W32/Agobot-AHZ copies itself to <System>\nundll32.exe.

The following registry entries are created to run nundll32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Installshield
nundll32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Installshield
nundll32.exe

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy