W32/Agobot-OC is an IRC backdoor Trojan and network worm. W32/Agobot-OC is capable of spreading to computers on the local network protected by weak passwords.
W32/Agobot-OC runs continuously in the background providing backdoor access to the computer through IRC channels.
The worm attempts to terminate and disable various anti-virus and security related programs.
W32/Agobot-OC is an IRC backdoor Trojan and network worm.
W32/Agobot-OC is capable of spreading to computers on the local network protected by weak passwords.
When first run, W32/Agobot-OC copies itself to the Windows system folder as halflife2.exe and creates the following registry entries to run itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Halflife = "halflife2.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Halflife = "halflife2.exe"
W32/Agobot-OC runs continuously in the background providing backdoor access to the computer through IRC channels.
W32/Agobot-OC attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file located at
%SYSTEM%\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com