high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 March 2005 14:52:28 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
super
super.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
super
super.exe
and delete them if they exist.
Close the registry editor.
More Information
W32/Agobot-QT is a worm with backdoor Trojan functionality.
W32/Agobot-QT connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to network shares with weak passwords or by DCC.
W32/Agobot-QT contains backdoor functionality including the ability to do any of the following:
- participate in denial of service attacks
- download updates and other files
- list, create and terminate processes and services
- provide a remote command shell
- log keypresses
- delete files
- delete network shares
- make registry changes
- steal system information
- send files by DCC
- exploit vulnerabilities
- monitor network traffic
W32/Agobot-QT also modifies the system HOSTS file in order to prevent access to certain anti-virus and other websites. W32/Agobot-QT is a worm with backdoor Trojan functionality.
W32/Agobot-QT connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to network shares with weak passwords or by DCC.
W32/Agobot-QT contains backdoor functionality including the ability to do any of the following:
- participate in denial of service attacks
- download updates and other files
- list, create and terminate processes and services
- provide a remote command shell
- log keypresses
- delete files
- delete network shares
- make registry changes
- steal system information
- send files by DCC
- exploit vulnerabilities
- monitor network traffic
W32/Agobot-QT also modifies the system HOSTS file in order to prevent access to the following web addresses:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
When first run W32/Agobot-QT copies itself to the Windows system folder as SUPER.EXE and creates the following registry entries in order to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
super
super.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
super
super.exe
|
