W32/Spybot-AGT is a network worm with backdoor Trojan functionality.
W32/Spybot-AGT attempts to copy itself to WINFAT32B.EXE in the Windows system folder and creates entries in the registry at the following locations to run
itself on system restart:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows FAT 32
"WINFAT32B.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows FAT 32
"WINFAT32B.exe"
W32/Spybot-AGT also attempts to add an entry in SYSTEM.INI in the Windows folder so as to run itself on system restart.
W32/Spybot-AGT sets the following registry entry in an attempt to prevent the use of registry tools:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
"1"
W32/Spybot-AGT attempts to copy itself to the startup folder of attached network drives. W32/Spybot-AGT may also try to exploit network weaknesses set up by other worms, for example by W32/MyDoom and Troj/Kuang.
W32/Spybot-AGT remains resident, running in the background as a service process and listening for commands from remote users via IRC channels.
W32/Spybot-AGT attempts to terminate various monitoring programs including the following:
DUMP3-2INI.EXE
MMC.EXE
MSANTIV32.EXE
MSCONFIG.EXE
MSTASK.EXE
NAVAPW.EXE
NAVAPW32.EXE
NETSTAT.EXE
REGEDIT.EXE
TASKMAN.EXE
TASKMGR.EXE
TASKMON.EXE