W32/Agobot-Q

Please follow the instructions for removing worms.

Windows

The registry changes made by W32/Agobot-Q should be reversed before files containing the worm are deleted.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

and

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and delete any references to Config Loader = svchosl.exe.

Close the registry editor.

Please read the instructions for removing worms

You should also install the patches mentioned above.

Other Platforms

Please read the instructions for removing worms

W32/Agobot-Q is a network aware worm and backdoor Trojan that allows unauthorised remote access to a computer.

When an attacker connects to the backdoor via a specific IRC channel they will be able to issue commands that cause the worm to scan the internet for computers to copy itself to. The scan will target network shares with weak passwords and computers vulnerable to both the DCOM RPC vulnerability and the locator service vulnerability. Patches for these two vulnerabilities are available from Microsoft at www.microsoft.com/technet/security/bulletin/MS03-026.asp and www.microsoft.com/technet/security/bulletin/MS03-001.asp respectively.

W32/Agobot-Q is copied to the Windows system folder with the filenames svchosl.exe and winhl32.exe and adds the following entries to the registry so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Config Loader = svchosl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Config Loader = svchosl.exe