W32/Agobot-EC

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Configuration Loading = configldr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loading = configldr.exe

and delete them if they exist.

Close the registry editor.

W32/Agobot-EC is an IRC backdoor Trojan and network worm.

W32/Agobot-EC copies itself to network shares with weak passwords.

When first run W32/Agobot-EC copies itself to the Windows system folder with the filename configldr.exe and creates the following registry entries so that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Configuration Loading = configldr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loading = configldr.exe

W32/Agobot-EC registers itself as a service which will be activated when Windows starts up. The name of the service is Configuration Loading.

W32/Agobot-EC connects to a remote IRC server and joins a specific channel. The backdoor functionality of the worm can then be accessed by an attacker using the IRC network.

The worm also attempts to terminate and disable various security-related programs.