W32/Agobot-PZ

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Agobot-PZ is a backdoor Trojan and worm which spreads to computers protected by weak passwords and to computers infected with variants of W32/MyDoom.

When first run, W32/Agobot-PZ moves itself to the Windows system folder as PNKSVC32.EXE and creates the following registry entries to run itself on system logon or startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Vekio Startups
Pnksvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Vekio Startups
Pnksvc32.exe

Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.

The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. For example:

127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

Sophos's anti-virus products include proactive protection technology which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Agobot-PZ (detected as W32/Agobot-Fam) since version 3.88.

download Try Sophos products for free
Download now

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information