high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 24 February 2005 12:14:29 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
When first run, W32/Agobot-QE moves itself to the Windows system folder as Hnksvc32.exe and creates the following registry entries to run itself on logon or startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Hekio Startups
Hnksvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Hekio Startups
Hnksvc32.exe
Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at <Windows>\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites.
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 networkassociates.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.ca.com
127.0.0.1 www.my-etrust.com
|
