W32/Agobot-S

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

Download and install the Microsoft patches mentioned above.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Config Loader = scvhost.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Config Loader = scvhost.exe

and delete them if they exist.

Close the registry editor.

W32/Agobot-S is an IRC backdoor Trojan and network worm.

W32/Agobot-S copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.

Microsoft has issued patches for the vulnerabilities exploited by this worm. These patches are available from

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

and

http://www.microsoft.com/technet/security/bulletin/MS03-001.asp

When first run, W32/Agobot-S copies itself to the Windows System folder as scvhost.exe and creates the following registry entries so that scvhost.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Config Loader = scvhost.exe

and

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Config Loader = scvhost.exe

On Windows NT, 2000 and XP W32/Agobot-S may run itself as a new service called Cfgldr.

Each time W32/Agobot-S is run it attempts to connect to a remote IRC server
and join a specific channel. W32/Agobot-S then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC.