W32/Agobot-BM

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = wmplayer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Media Player = wmplayer.exe

and delete them if they exist.

Close the registry editor.

W32/Agobot-BM is an IRC backdoor Trojan and network worm.

W32/Agobot-BM is capable of spreading to computers on the local network protected by weak passwords. The worm can also spread to other machines using certain vulnerabilities.

When first run, W32/Agobot-BM copies itself to the Windows system folder as wmplayer.exe and creates the following registry entries so that wmplayer.exe is run automatically on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = wmplayer.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Media Player = wmplayer.exe

The worm runs in the background as a service process named "Windows Media Player".

Each time W32/Agobot-BM is run it attempts to connect to a remote IRC server, join a specific channel and wait for backdoor commands.

W32/Agobot-BM attempts to terminate and disable various security-related programs and attempts to prevent its own process from being deleted.