W32/Agobot-GU

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Agobot-GU is an IRC backdoor Trojan and network worm that spreads via
the RPC/DCOM vulnerability or by using RPC calls on machines with weak passwords.

In order to run automatically when Windows starts up the worm copies itself to the file vmwa32.exe in the Windows system folder, creates its own service named "Vido Pes" and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Vido Pes
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Vido Pes

Each time W32/Agobot-GU is run it attempts to connect to a remote IRC server
and join a specific channel.

W32/Agobot-GU then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.

W32/Agobot-GU collects system information and registration keys of popular
games that are installed on the computer.

The worm also opens backdoor ports and attempts to terminate and disable
various security-related programs.