W32/Agobot-QT is a worm with backdoor Trojan functionality.
W32/Agobot-QT connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to network shares with weak passwords or by DCC.
W32/Agobot-QT contains backdoor functionality including the ability to do any of the following:
- participate in denial of service attacks
- download updates and other files
- list, create and terminate processes and services
- provide a remote command shell
- log keypresses
- delete files
- delete network shares
- make registry changes
- steal system information
- send files by DCC
- exploit vulnerabilities
- monitor network traffic
W32/Agobot-QT also modifies the system HOSTS file in order to prevent access to certain anti-virus and other websites.
W32/Agobot-QT is a worm with backdoor Trojan functionality.
W32/Agobot-QT connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to network shares with weak passwords or by DCC.
W32/Agobot-QT contains backdoor functionality including the ability to do any of the following:
- participate in denial of service attacks
- download updates and other files
- list, create and terminate processes and services
- provide a remote command shell
- log keypresses
- delete files
- delete network shares
- make registry changes
- steal system information
- send files by DCC
- exploit vulnerabilities
- monitor network traffic
W32/Agobot-QT also modifies the system HOSTS file in order to prevent access to the following web addresses:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
When first run W32/Agobot-QT copies itself to the Windows system folder as SUPER.EXE and creates the following registry entries in order to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
super
super.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
super
super.exe