W32/Agobot-LF is a network worm which also allows unauthorised remote access to the computer via IRC channels.
W32/Agobot-LF copies itself to network shares with weak passwords and
attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers
with System level privileges. For further information on these vulnerabilities
and for details on how to protect/patch the computer against such attacks
please see Microsoft security bulletins MS03-026 and MS03-001. MS03-026 has been superseded by Microsoft security bulletin MS03-039.
W32/Agobot-LF moves itself to the Windows system folder as winlog.exe and creates the following registry entries to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Login = winlog.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Login = winlog.exe
On NT-based version of Windows the worm creates a new service
named "Windows Login" with the startup property set to automatic, so that the service starts automatically each time Windows is started.
W32/Agobot-LF attempts to terminate and disable various anti-virus and
security related programs. It also attempts to terminate processes associated
with the W32/Blaster family of worms.
W32/Agobot-LF collects system information and registration keys of popular
games that are installed on the computer.