W32/Agobot-PZ is a backdoor Trojan and worm which spreads to computers protected by weak passwords and to computers infected with variants of W32/MyDoom.
When first run, W32/Agobot-PZ moves itself to the Windows system folder as PNKSVC32.EXE and creates the following registry entries to run itself on system logon or startup:
Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. For example:
Sophos's anti-virus products include proactive protection technology which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Agobot-PZ (detected as W32/Agobot-Fam) since version 3.88.