Backdoor.Agobot.gen
Backdoor.Agobot.gen (Kaspersky Lab) is also known as: W32/Gaobot.worm.gen.d (McAfee), W32.HLLW.Gaobot.gen (Symantec), Win32.HLLW.Agobot.3 (Doctor Web), W32/Agobot-BV (Sophos), Win32/Gaobot.gen! (RAV), WORM_AGOBOT.RM (Trend Micro), Worm/Sdbot.39936.B (H+BEDV), Win32:Gaobot-268 (ALWIL), Worm/Agobot (Grisoft), Backdoor.Agobot.3.Gen (SOFTWIN)
| Description added | Jan 09 2004 |
| Behavior | Backdoor |
This is a classical backdoor and allows a 'master' to control the victim machine remotely by sending commands via IRC channels.
Installation
Agobot copies itself into the Windows directory under random names and then registers itself in the system registry auto-run keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Manifestations
Agobot connects to various IRC servers opening channels identified in the body of the worm. It is then ready to receive commands from the 'master', who can now download and launch files on the victim machine, scan other computers for vulnerabilities and install itself on these vulnerable machines.
