W32/Agobot-S

Category: Viruses and Spyware Protection available since:09 Sep 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:09 Sep 2003 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Agobot-S is an IRC backdoor Trojan and network worm.

W32/Agobot-S copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.

Microsoft has issued patches for the vulnerabilities exploited by this worm. These patches are available from

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

and

http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

When first run, W32/Agobot-S copies itself to the Windows System folder as scvhost.exe and creates the following registry entries so that scvhost.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Config Loader = scvhost.exe

and

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Config Loader = scvhost.exe

On Windows NT, 2000 and XP W32/Agobot-S may run itself as a new service called Cfgldr.

Each time W32/Agobot-S is run it attempts to connect to a remote IRC server
and join a specific channel. W32/Agobot-S then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy