W32/Agobot-TF

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
taskmanager
"taskmanager.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
taskmanager
"taskmanager.exe"

and delete them if they exist.

Close the registry editor.

W32/Agobot-TF is a network worm with backdoor Trojan functionality for the Windows platform.

The backdoor component connects to an IRC server and joins a channel where it awaits further commands from attackers.

The worm spreads through network shares protected by weak passwords and through various operating system vulnerabilities. W32/Agobot-TF is a network worm with backdoor Trojan functionality for the Windows platform.

When run, W32/Agobot-TF copies itself to the Windows system folder as taskmanager.exe and creates the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
taskmanager
"taskmanager.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
taskmanager
"taskmanager.exe"

The backdoor component connects to an IRC server and joins a channel where it awaits further commands from attackers.

The worm spreads through network shares protected by weak passwords and through various operating system vulnerabilities.