W32/Agobot-GT is an IRC backdoor Trojan and network worm.
W32/Agobot-GT copies itself to network shares protected by weak passwords.
When first run W32/Agobot-GT copies itself to the Windows system folder as Nivopsvc.exe. The worm then sets the following registry entries to ensure it is
run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Video Process = Nivopsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Video Process = Nivopsvc.exe
On NT-based versions of Windows the worm creates a new service named "Video Process" with the startup property set to automatic, so that the service starts automatically each time Windows is started.
Each time W32/Agobot-GT is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer via IRC channels.
W32/Agobot-GT will terminate and disable various anti-virus and security related programs.