high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | January 2005 (3.89) |
| Protection available since | 26 November 2004 08:49:46 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Agobot-OE is capable of spreading to computers on the local network protected by weak passwords. The worm opens an IRC backdoor allowing remote access. It may also interfere with anti-virus and security software.
W32/Agobot-OE is capable of spreading to computers on the local network protected by weak passwords.
When first run, W32/Agobot-OE copies itself to the Windows system folder as navp.exe and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
navp.exe navp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
navp.exe navp.exe
Each time W32/Agobot-OE is run it attempts to connect to a remote IRC server and join a specific channel.
W32/Agobot-OE then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.
W32/Agobot-OE may attempt to terminate and disable various anti-virus and security-related programs, and may attempt to gather information relating to the system and programs on the system.
W32/Agobot-OE may alter the file
\windows\system32\drivers\etc\hosts
in order to prevent the machine contacting various anti-virus and security websites.
Sophos' anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Agobot-OE (detected as W32/Agobot-Fam/Gen) since version 3.86.
|
