W32/Agobot-NA

Aliases	Backdoor.Agobot.gen W32/Gaobot.worm.gen.j W32.HLLW.Gaobot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	June 2004 (3.82)
Protection available since	28 April 2004 19:45:40 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please follow the instructions for removing W32/Agobot-NA.

More Information

Summary
Action
More Information

W32/Agobot-NA is a backdoor Trojan and worm which spreads to computers protected by weak passwords.

When first run, W32/Agobot-NA copies itself to the Windows system folder as wmiprvsw.exe and creates the following registry entries to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Updater Service = wmiprvsw.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
System Updater Service = wmiprvsw.exe

The worm runs continuously in the background providing backdoor access to the computer.

W32/Agobot-NA attempts to terminate and disable various anti-virus and security-related programs. The worm also modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS,
mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-NA will also attempt to retrieve data from the following websites:
www.st.lib.keio.ac.jp
www.nocster.com
www.rit.edu
nitro.ucsc.edu
www.ryan1918.com
www.nifty.com
de-tschakka.no-ip.info
yahoo.co.jp
www.ryan1918.org
www.utwente.nl
de.yahoo.com
www.d1asia.com
www.belwue.de
www.burst.net
www.above.net
www.schlund.net

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Agobot-NA

Summary

Action

More Information