W32/Agobot-R

Category: Viruses and Spyware Protection available since:29 Aug 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:29 Aug 2003 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Agobot-R is a backdoor Trojan and network aware worm that allows unauthorised remote access to a computer.

When an attacker connects to the backdoor via a specific IRC channel they will be able to issue commands that causes the worm to scan the internet for computers to copy itself to. The scan will target network shares with weak passwords and computers vulnerable to both the DCOM RPC vulnerability and the RPC locator vulnerability.

W32/Agobot-R is copied to the Windows system folder with the filenames svchos1.exe and rpcfix.exe and adds any of the following entries to the registry so that the Trojan is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Config Loader

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Config Loader

Both of these keys execute svchos1.exe.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy