high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 20 May 2005 08:31:54 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please contact technical support.
More Information
W32/Spybot-AGT is a network worm with backdoor Trojan functionality.
W32/Spybot-AGT attempts to copy itself to WINFAT32B.EXE in the Windows system folder and creates entries in the registry at the following locations to run
itself on system restart:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows FAT 32
"WINFAT32B.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows FAT 32
"WINFAT32B.exe"
W32/Spybot-AGT also attempts to add an entry in SYSTEM.INI in the Windows folder so as to run itself on system restart.
W32/Spybot-AGT sets the following registry entry in an attempt to prevent the use of registry tools:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
"1"
W32/Spybot-AGT attempts to copy itself to the startup folder of attached network drives. W32/Spybot-AGT may also try to exploit network weaknesses set up by other worms, for example by W32/MyDoom and Troj/Kuang.
W32/Spybot-AGT remains resident, running in the background as a service process and listening for commands from remote users via IRC channels.
W32/Spybot-AGT attempts to terminate various monitoring programs including the following:
DUMP3-2INI.EXE
MMC.EXE
MSANTIV32.EXE
MSCONFIG.EXE
MSTASK.EXE
NAVAPW.EXE
NAVAPW32.EXE
NETSTAT.EXE
REGEDIT.EXE
TASKMAN.EXE
TASKMGR.EXE
TASKMON.EXE
|
