W32/Agobot-KC

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WSSAConfiguration= "wmmon32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WSSAConfiguration= "wmmon32.exe"

and delete them if they exist.

Close the registry editor.

W32/Agobot-KC is a backdoor worm which spreads to computers protected
by weak passwords.

When first run W32/Agobot-KC moves itself to the Windows system folder
as wmmon32.exe and creates the following registry entries to run itself on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WSSAConfiguration= "wmmon32.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WSSAConfiguration= "wmmon32.exe"

Each time the worm is run it attempts to connect to a remote IRC server
and join a specific channel. The worm then runs continuously in the
background, allowing a remote intruder to access and control the computer
via IRC channels.

W32/Agobot-KC attempts to terminate and disable various anti-virus and
security-related programs. The worm also modifies the HOSTS file in the
Drivers\etc subfolder of the Windows system folder, preventing access to
many anti-virus web sites.

Additionally, the worm may attempt to delete local network shares, and to
steal registration keys for software products installed on the user's
computer.