high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 2 March 2005 09:23:39 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
filename process
explore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
filename process
explore.exe
and delete them if they exist.
Close the registry editor.
More Information
W32/Agobot-QN is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.
This worm will copy itself into the Windows system folder as EXPLORE.EXE and may create the following registry entries so that it can execute automatically on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
filename process
explore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
filename process
explore.exe
W32/Agobot-QN may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans.
W32/Agobot-QN may search for shared folders on the internet with weak passwords and copy itself into them.
A text file named HOSTS in C:\<Windows system>\drivers\etc\ may be created or
overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.
For example:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/Agobot-QN can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood/httpflood/fraggle/smurf etc attacks against remote systems.
|
