W32/Agobot-OJ

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Agobot-OJ is a worm that spreads via the RPC/DCOM vulnerability or by various network services protected by weak passwords.

In order to run automatically when Windows starts up the worm copies itself to the file qgebv.exe in the Windows system folder, creates its own service process named "qgqv" and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
qvqe
qgebv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
qvqe
qgebv.exe

W32/Agobot-OJ runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

The worm modifies the Windows HOSTS file to redirect several AV and security-related websites to 127.0.0.1 .

W32/Agobot-OJ provides the intruder with a number of features such as the
ability to:

start HTTP, SYN or UDP floods
steal product keys
run an FTP server
run an HTTP proxy
make local drives shareable
sniff passwords
initiate AOL spamming
terminate a number of AV and security applications
create/delete the registry entries that run the worm at startup
execute arbitrary commands