W32/Agobot-MO is a network worm which also allows unauthorised remote
access to the computer via IRC channels.
W32/Agobot-MO attempts to copy itself to network shares with weak passwords and spreads to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers
with System level privileges. For further information on these vulnerabilities
and for details on how to protect/patch the computer against such attacks
please see Microsoft security bulletins MS03-026 (now superseded by
MS03-039) and MS03-001.
W32/Agobot-MO attempts to terminate various anti-virus and security processes,
e.g. sweep95, blackice and zonealarm.
In order to run automatically when Windows starts up W32/Agobot-MO creates a
service called COMS and the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
COM+ System Application = lsas.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
COM+ System Application = lsas.exe