Sophos

W32/Agobot-QE

Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Protection available since 24 February 2005 12:14:29 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

More Information

W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers protected by weak passwords.

Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.

The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. W32/Agobot-QE is a backdoor Trojan and worm which spreads to computers protected by weak passwords.

When first run, W32/Agobot-QE moves itself to the Windows system folder as Hnksvc32.exe and creates the following registry entries to run itself on logon or startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Hekio Startups
Hnksvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Hekio Startups
Hnksvc32.exe

Each time the Trojan is run it attempts to connect to a remote IRC server and join a specific channel.

The Trojan then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at <Windows>\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites.

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 networkassociates.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.nai.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.ca.com
127.0.0.1 www.my-etrust.com

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer