high
Summary
Summary
Action- More Information
| Protection available since | 20 May 2004 13:39:51 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinLogin = winlogin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WinLogin = winlogin.exe
and delete them if they exist.
Close the registry editor.
More Information
W32/Agobot-IX is an IRC backdoor Trojan and network worm.
W32/Agobot-IX copies itself to network shares protected by weak passwords.
When first run W32/Agobot-IX copies itself to the Windows system folder as winlogin.exe and sets the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinLogin = winlogin.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
WinLogin = winlogin.exe
On NT-based version of Windows the worm creates a new service named
"winlogin" with the startup property set to automatic, so that the service starts automatically each time Windows is started.
Each time W32/Agobot-IX is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs in the background allowing a remote intruder to issue commands which control the computer.
W32/Agobot-IX can be instructed to download and install other programs on the system as well as to flood other computers with network packets.
W32/Agobot-IX will terminate and disable various anti-virus and security related programs.
W32/Agobot-IX will write to the hosts file so that various security related internet sites can no longer be accessed.
These sites include:
www.sophos.com
sophos.com
www.symantec.com
securityresponse.symantec.com
symantec.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
|
