W32/Agobot-KC is a backdoor worm which spreads to computers protected
by weak passwords.
When first run W32/Agobot-KC moves itself to the Windows system folder
as wmmon32.exe and creates the following registry entries to run itself on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WSSAConfiguration= "wmmon32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WSSAConfiguration= "wmmon32.exe"
Each time the worm is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs continuously in the
background, allowing a remote intruder to access and control the computer
via IRC channels.
W32/Agobot-KC attempts to terminate and disable various anti-virus and
security-related programs. The worm also modifies the HOSTS file in the
Drivers\etc subfolder of the Windows system folder, preventing access to
many anti-virus web sites.
Additionally, the worm may attempt to delete local network shares, and to
steal registration keys for software products installed on the user's
computer.