W32/Agobot-IS

Aliases	Backdoor.Agobot.hr W32/Gaobot.worm.gen.d virus Win32/Agobot.3.XW trojan W32.HLLW.Gaobot.gen WORM_AGOBOT.KB
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	July 2004 (3.83)
Protection available since	18 May 2004 09:50:50 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Agobot-IS is an IRC backdoor Trojan and network worm.

W32/Agobot-IS is capable of spreading to computers on the local network
protected by weak passwords.

When first run W32/Agobot-IS copies itself to the Windows system folder as
winasp.exe and creates the following registry entries to run itself on
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Video Process

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Video Process

W32/Agobot-IS also registers itself as a service which will be activated when
Windows starts up. The name of the service is Video Process.

Each time W32/Agobot-IS is run it attempts to connect to a remote IRC server
and join a specific channel.

W32/Agobot-IS then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.

W32/Agobot-IS attempts to terminate and disable various anti-virus and
security-related programs.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Agobot-IS

Summary

Action

More Information