This worm will move itself into the Windows System32 folder under the filename CTFMOND. Keep firewall software up to date and properly configured. W32/Agobot-FO is an IRC backdoor Trojan and peer-to-peer (P2P) worm which opens TCP ports to listen for and process commands received from a remote intruder.
#W32 agobot worm update#
Constantly update and run virus protection software. Turn off access to addresses of those sources.
#W32 agobot worm how to#
How to Stop It: Identify sources of the attack.
#W32 agobot worm install#
Attackers can remotely control any applications they install using Agobot, including applications designed to produce thousands of bogus page requests to a targeted server.Ĭooperation: Using commands transmitted via IRC, the attacker can control a virtually unlimited number of corrupted machines. Using Agobot, the attacker can load new files or programs on the corrupted computer, delete files, perform DNS lookups to note its location in the network, and other functions. Payload: Once established, some versions try to terminate antivirus software processes and keep them from running in the future. Some variants try to guess user names and passwords on remote systems to let them spread to secured machines on the network. Once it’s established, it tries to copy itself to any machine connected to the original victim. There are zeroes instead of 'o' letters in the file name: do not. Manual disinfection of this Agobot variant requires killing the backdoor's process in memory and deletion of the infected file from Windows System folder. When it’s launched, it copies itself into the system directory and writes into the Registry keys that allow it to function unmolested. Caution: Manual disinfection is a risky process it is recommended only for advanced users. Method of promulgation: Agobot can arrive as an attachment in e-mail, through a file transfer in instant messaging, or directly across the network using remote procedure calls, Universal Plug and Play directives, buffer overflows and other security vulnerabilities in Windows systems. The source code is widely available on illegal software servers known as Warez sites new variants are popping up all the time. scvhost.exe Part of W32/Agobot-S virus The scvhost.exe file is a component of the W32/Agobot-S virus. Variants: Win32/Agobot, Backdoor.Agobot.3.gen,, !poly, and dozens of others. nvcpl.exe Part of Worm Nvcpl.exe is a process which is registered as the. Kaspersky labs calls the virus ., but their web sight says currently there is no description available for this program and it did not say for certain that it.
The Agobot code includes functions that let it check for instructions in specific chat areas. Sophos was the only company I found with the W32/Agobot-Ku virus in its encyclopedia and their web sight says all of their anti-virus software checks for it.
But the attackers did follow a pattern consistent with the Agobot/Phatbot family, which consists of dozens of variants on a worm called Agobot that was created in northern Europe in the late 1990s.ĭescription: When launched on a victim’s computer, Agobot becomes a back door that allows the attacker to control the computer by issuing commands through Internet Relay Chat (IRC). It’s not entirely clear which virus or worm corrupted the machines used in a large-scale distributed denial-of-service attack against Akamai last June.