W32/Agobot-BJ is an IRC backdoor Trojan and network worm.
The worm copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
These vulnerabilities allow the worm to execute its code on target computers with System level privileges. For further information on these vulnerabilities and for
details on how to protect/patch the computer against such attacks please see Microsoft security bulletins MS03-026 and MS03-001.
W32/Agobot-BJ copies itself to the Windows system folder as svchos1.exe and adds the following registry entries to run itself at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loading
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loading
The worm also registers itself as the service process "Configuration Loading".
W32/Agobot-BJ also collects system information and registry keys of popular games that are installed on the computer.