Description: 

This backdoor operates as an IRC bot. It comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for commands from a malicious user. It processes the commands on the local machine giving remote users virtual control over the infected system.

It also automatically notifies the bot of systems vulnerable to the following known security holes:

• IIS5/WEBDAV buffer overrun
• Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
• RPC Locator vulnerability

For detailed information about these vulnerabilities, refer to the following Microsoft pages:

• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS03-026

This backdoor also steals the Windows Product ID, as well as the CD keys of certain game applications. It terminates a list of processes associated with antivirus and firewall applications.

Details:

Installation and Autostart Technique

Upon execution, this backdoor drops a copy of itself as NT32.EXE in the Windows system folder.

(Note: The Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

It then creates the following registry entries so that it executes every time Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
Reg Service = NT32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\RunServices
Reg Service = NT32.exe

Backdoor Capabilities

This backdoor also has backdoor capabilities and operates as an IRC bot. It connects to a remote IRC server and joins a specific IRC channel, where it receives commands from a remote malicious user.

Some of these commands are as follows:

• Connect to a specified IRC server
• Join or leave an IRC channel
• Generate random nick
• Disconnect from IRC server
• Send message to private user
• Open a file
• Execute an .EXE file
• Download, update, and execute file from a Web site
• Get list of CD keys
• List running processes
• Terminate a process
• Uninstall itself
• Check malware status
• Enable or disable shares
• Run command shell

Malware Exploits

This backdoor is also able to automatically notify the bot of systems vulnerable to the following Windows vulnerabilities:

• The Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. Read more on this vulnerability from Microsoft Security Bulletin MS03-026.

• The IIS5/WEBDAV buffer overrun enables arbitrary codes to execute on the WebDAV server by also sending a malformed request packet. This exploit is a service related to HTTP port 80. Read more on this vulnerability from Microsoft Security Bulletin MS03-007.

Information Theft

This backdoor also steals the Windows Product ID as well as the CD keys of the following game applications:

• Battlefield 1942
• Battlefield 1942: Secret Weapons Of WWII
• Battlefield 1942: The Road To Rome
• Black and White
• Call of Duty
• Command and Conquer: Generals
• Command and Conquer: Generals: Zero Hour
• Command and Conquer: Red Alert2
• Command and Conquer: Tiberian Sun
• Counter-Strike
• FIFA 2002
• FIFA 2003
• Freedom Force
• Global Operations
• Gunman Chronicles
• Half-Life
• Hidden and Dangerous 2
• IGI2: Covert Strike
• Industry Giant 2
• James Bond 007: Nightfire
• Medal of Honor: Allied Assault
• Medal of Honor: Allied Assault: Breakthrough
• Medal of Honor: Allied Assault: Spearhead
• Nascar Racing 2002
• Nascar Racing 2003
• Need For Speed: Hot Pursuit 2
• Need For Speed: Underground
• NHL 2002
• NHL 2003
• Shogun: Total War: Warlord Edition
• Soldier of Fortune II - Double Helix
• Soldiers Of Anarchy
• The Gladiators
• Unreal Tournament 2003

Denial of Service

This backdoor is able to perform the following types of distributed denial of service (DoS) attacks:

• HTTP flood
• ICMP flood
• UDP flood
• SYN flood

It also performs a distributed DoS attack against the following Web sites:

• de.yahoo.com
• nitro.ucsc.edu
• verio.fr
• www.above.net
• www.bitnet.net
• www.burst.net
• www.cogentco.com
• www.d1asia.com
• www.level3.com
• www.lib.nthu.edu.tw
• www.msn.co.jp
• www.msn.de
• www.nifty.com
• www.nocster.com
• www.rit.edu
• www.schlund.net
• www.st.lib.keio.ac.jp
• www.stanford.edu
• www.switch.ch
• www.utwente.nl
• www.verio.com
• www.xo.net
• yahoo.co.jp

Process Termination

This backdoor terminates the following processes:

• AVP32.EXE
• AVPCC.EXE
• AVPM.EXE
• CKWIN32.EXE
• DAWARE.EXE
• DVXDWIN.EXE
• GENTSVR.EXE
• GENTW.EXE
• LERTSVC.EXE
• LEVIR.EXE
• LOGSERV.EXE
• MON9X.EXE
• NTI-TROJAN.EXE
• NTIVIRUS.EXE
• NTS.EXE
• PIMONITOR.EXE
• PLICA32.EXE
• PVXDWIN.EXE
• RR.EXE
• TCON.EXE
• TGUARD.EXE
• TRO55EN.EXE
• TUPDATER.EXE
• TWATCH.EXE
• U.EXE
• UPDATE.EXE
• UTODOWN.EXE
• UTO-PROTECT.NAV80TRY.EXE
• UTOTRACE.EXE
• UTOUPDATE.EXE
• VCONSOL.EXE
• VE32.EXE
• VGCC32.EXE
• VGCTRL.EXE
• VGNT.EXE
• VGSERV.EXE
• VGSERV9.EXE
• VGUARD.EXE
• VGW.EXE
• VKPOP.EXE
• VKSERV.EXE
• VKSERVICE.EXE
• VKWCTl9.EXE
• VLTMAIN.EXE
• VNT.EXE
• VP.EXE
• VP32.EXE
• VPCC.EXE
• VPDOS32.EXE
• VPM.EXE
• VPTC32.EXE
• VPUPD.EXE
• VSCHED32.EXE
• VSYNMGR.EXE
• VWIN95.EXE
• VWINNT.EXE
• VWUPD.EXE
• VWUPD32.EXE
• VWUPSRV.EXE
• VXMONITOR9X.EXE
• VXMONITORNT.EXE
• VXQUAR.EXE
• ACKWEB.EXE
• ARGAINS.EXE
• D_PROFESSIONAL.EXE
• EAGLE.EXE
• ELT.EXE
• IDEF.EXE
• IDSERVER.EXE
• IPCP.EXE
• IPCPEVALSETUP.EXE
• ISP.EXE
• LACKD.EXE
• LACKICE.EXE
• LSS.EXE
• OOTCONF.EXE
• OOTWARN.EXE
• ORG2.EXE
• PC.EXE
• RASIL.EXE
• S120.EXE
• UNDLE.EXE
• VT.EXE
• CAPP.EXE
• CEVTMGR.EXE
• CPXYSVC.EXE
• DP.EXE
• FD.EXE
• FGWIZ.EXE
• FIADMIN.EXE
• FIAUDIT.EXE
• FINET.EXE
• FINET32.EXE
• law95.EXE
• LAW95CF.EXE
• LEAN.EXE
• LEANER.EXE
• LEANER3.EXE
• LEANPC.EXE
• LICK.EXE
• MD32.EXE
• MESYS.EXE
• MGRDIAN.EXE
• MON016.EXE
• ONNECTIONMONITOR.EXE
• PD.EXE
• PF9X206.EXE
• PFNT206.EXE
• TRL.EXE
• V.EXE
• WNB181.EXE
• WNTDWMO.EXE
• ATEMANAGER.EXE
• COMX.EXE
• EFALERT.EXE
• EFSCANGUI.EXE
• EFWATCH.EXE
• EPUTY.EXE
• IVX.EXE
• LLCACHE.EXE
• LLREG.EXE
• OORS.EXE
• PF.EXE
• PFSETUP.EXE
• PPS2.EXE
• RWATSON.EXE
• RWEB32.EXE
• RWEBUPW.EXE
• SSAGENT.EXE
• VP95.EXE
• VP95_0.EXE
• CENGINE.EXE
• FPEADM.EXE
• MSW.EXE
• NT.EXE
• SAFE.EXE
• SCANH95.EXE
• SCANHNT.EXE
• SCANV95.EXE
• SPWATCH.EXE
• THEREAL.EXE
• TRUSTCIPE.EXE
• VPN.EXE
• XANTIVIRUS-CNET.EXE
• XE.AVXW.EXE
• XPERT.EXE
• XPLORE.EXE
• -AGNT95.EXE
• AMEH32.EXE
• AST.EXE
• CH32.EXE
• IH32.EXE
• INDVIRU.EXE
• IREWALL.EXE
• LOWPROTECTOR.EXE
• NRB32.EXE
• PROT.EXE
• -PROT.EXE
• -PROT95.EXE
• P-WIN.EXE
• P-WIN_TRIAL.EXE
• RW.EXE
• SAA.EXE
• SAV.EXE
• SAV32.EXE
• SAV530STBYB.EXE
• SAV530WTBYB.EXE
• SAV95.EXE
• SGK32.EXE
• SM32.EXE
• SMA32.EXE
• SMB32.EXE
• -STOPW.EXE
• ATOR.EXE
• BMENU.EXE
• BPOLL.EXE
• ENERICS.EXE
• MT.EXE
• UARD.EXE
• UARDDOG.EXE
• ACKTRACERSETUP.EXE
• BINST.EXE
• BSRV.EXE
• OTACTIO.EXE
• OTPATCH.EXE
• TLOG.EXE
• TPATCH.EXE
• WPE.EXE
• XDL.EXE
• XIUL.EXE
• AMAPP.EXE
• AMSERV.EXE
• AMSTATS.EXE
• BMASN.EXE
• BMAVSP.EXE
• CLOAD95.EXE
• CLOADNT.EXE
• CMON.EXE
• CSUPP95.EXE
• CSUPPNT.EXE
• DLE.EXE
• EDLL.EXE
• EDRIVER.EXE
• EXPLORER.EXE
• FACE.EXE
• FW2000.EXE
• NETLNFO.EXE
• NFUS.EXE
• NFWIN.EXE
• NIT.EXE
• NTDEL.EXE
• NTREN.EXE
• OMON98.EXE
• PARMOR.EXE
• RIS.EXE
• SASS.EXE
• SRV95.EXE
• STSVC.EXE
• AMMER.EXE
• DBGMRG.EXE
• EDI.EXE
• AVLITE40ENG.EXE
• AVPERS40ENG.EXE
• AVPF.EXE
• AZZA.EXE
• EENVALUE.EXE
• ERIO-PF-213-EN-WIN.EXE
• ERIO-WRL-421-EN-WIN.EXE
• ERIO-WRP-421-EN-WIN.EXE
• ERNEL32.EXE
• ILLPROCESSSETUP161.EXE
• AUNCHER.EXE
• DNETMON.EXE
• DPRO.EXE
• DPROMENU.EXE
• DSCAN.EXE
• NETINFO.EXE
• OADER.EXE
• OCALNET.EXE
• OCKDOWN.EXE
• OCKDOWN2000.EXE
• OOKOUT.EXE
• ORDPE.EXE
• SETUP.EXE
• UALL.EXE
• UAU.EXE
• UCOMSERVER.EXE
• UINIT.EXE
• USPT.EXE
• APISVC32.EXE
• CAGENT.EXE
• CMNHDLR.EXE
• CSHIELD.EXE
• CTOOL.EXE
• CUPDATE.EXE
• CVSRTE.EXE
• CVSSHLD.EXE
• D.EXE
• FIN32.EXE
• FW2EN.EXE
• FWENG3.02D30.EXE
• GAVRTCL.EXE
• GAVRTE.EXE
• GHTML.EXE
• GUI.EXE
• INILOG.EXE
• MOD.EXE
• ONITOR.EXE
• OOLIVE.EXE
• OSTAT.EXE
• PFAGENT.EXE
• PFSERVICE.EXE
• PFTRAY.EXE
• RFLUX.EXE
• SAPP.EXE
• SBB.EXE
• SBLAST.EXE
• SCACHE.EXE
• SCCN32.EXE
• SCMAN.EXE
• SCONFIG.EXE
• SDM.EXE
• SDOS.EXE
• SIEXEC16.EXE
• SINFO32.EXE
• SLAUGH.EXE
• SMGT.EXE
• SMSGRI32.EXE
• SSMMC32.EXE
• SSYS.EXE
• SVXD.EXE
• U0311AD.EXE
• WATCH.EXE
• 32SCANW.EXE
• AV.EXE
• AVAP.NAVAPSVC.EXE
• AVAPSVC.EXE
• AVAPW32.EXE
• AVDX.EXE
• AVENGNAVEX15.NAVLU32.EXE
• AVLU32.EXE
• AVNT.EXE
• AVSTUB.EXE
• AVW32.EXE
• AVWNT.EXE
• C2000.EXE
• CINST4.EXE
• DD32.EXE
• EOMONITOR.EXE
• EOWATCHLOG.EXE
• ETARMOR.EXE
• ETD32.EXE
• ETINFO.EXE
• ETMON.EXE
• ETSCANPRO.EXE
• ETSPYHUNTER-1.2.EXE
• ETSTAT.EXE
• ETUTILS.EXE
• ISSERV.EXE
• ISUM.EXE
• MAIN.EXE
• OD32.EXE
• ORMIST.EXE
• ORTON_INTERNET_SECU_3.0_407.EXE
• OTSTART.EXE
• PF40_TW_98_NT_ME_2K.EXE
• PFMESSENGER.EXE
• PROTECT.EXE
• PSCHECK.EXE
• PSSVC.EXE
• SCHED32.EXE
• SSYS32.EXE
• STASK32.EXE
• SUPDATE.EXE
• T.EXE
• TRTSCAN.EXE
• TVDM.EXE
• TXconfig.EXE
• UI.EXE
• UPGRADE.EXE
• VARCH16.EXE
• VC95.EXE
• VSVC32.EXE
• WINST4.EXE
• WSERVICE.EXE
• WTOOL16.EXE
• LLYDBG.EXE
• NSRVR.EXE
• PTIMIZE.EXE
• STRONET.EXE
• TFIX.EXE
• UTPOST.EXE
• UTPOSTINSTALL.EXE
• UTPOSTPROINSTALL.EXE
• ADMIN.EXE
• ANIXK.EXE
• ATCH.EXE
• AVCL.EXE
• AVPROXY.EXE
• AVSCHED.EXE
• AVW.EXE
• CC2002S902.EXE
• CC2K_76_1436.EXE
• CCIOMON.EXE
• CCNTMON.EXE
• CCWIN97.EXE
• CCWIN98.EXE
• CDSETUP.EXE
• CFWALLICON.EXE
• CIP10117_0.EXE
• CSCAN.EXE
• DSETUP.EXE
• ENIS.EXE
• ERISCOPE.EXE
• ERSFW.EXE
• ERSWF.EXE
• F2.EXE
• FWADMIN.EXE
• GMONITR.EXE
• INGSCAN.EXE
• LATIN.EXE
• OP3TRAP.EXE
• OPROXY.EXE
• OPSCAN.EXE
• ORTDETECTIVE.EXE
• ORTMONITOR.EXE
• OWERSCAN.EXE
• PINUPDT.EXE
• PTBC.EXE
• PVSTOP.EXE
• RIZESURFER.EXE
• RMT.EXE
• RMVR.EXE
• ROCDUMP.EXE
• ROCESSMONITOR.EXE
• ROCEXPLORERV1.0.EXE
• ROGRAMAUDITOR.EXE
• ROPORT.EXE
• ROTECTX.EXE
• SPF.EXE
• URGE.EXE
• USSY.EXE
• VIEW95.EXE
• CONSOLE.EXE
• SERVER.EXE
• APAPP.EXE
• AV7.EXE
• AV7WIN.EXE
• AV8WIN32ENG.EXE
• AY.EXE
• B32.EXE
• CSYNC.EXE
• EALMON.EXE
• EGED.EXE
• EGEDIT.EXE
• EGEDT32.EXE
• ESCUE.EXE
• ESCUE32.EXE
• RGUARD.EXE
• SHELL.EXE
• TVSCAN.EXE
• TVSCN95.EXE
• ULAUNCH.EXE
• UN32DLL.EXE
• UNDLL16.EXE
• UXDLL32.EXE
• AFEWEB.EXE
• AHAGENT.EXE
• AVE.EXE
• AVENOW.EXE
• BSERV.EXE
• C.EXE
• CAM32.EXE
• CAN32.EXE
• CAN95.EXE
• CANPM.EXE
• CRSCAN.EXE
• CRSVR.EXE
• CVHOST.EXE
• D.EXE
• ERV95.EXE
• ERVICE.EXE
• ERVLCE.EXE
• ERVLCES.EXE
• ETUP_FLOWPROTECTOR_US.EXE
• ETUPVAMEEVAL.EXE
• FC.EXE
• GSSFW32.EXE
• H.EXE
• HELLSPYINSTALL.EXE
• HN.EXE
• HOWBEHIND.EXE
• MC.EXE
• MS.EXE
• MSS32.EXE
• OAP.EXE
• OFI.EXE
• PERM.EXE
• PF.EXE
• PHINX.EXE
• POLER.EXE
• POOLCV.EXE
• POOLSV32.EXE
• PYXX.EXE
• REXE.EXE
• RNG.EXE
• S3EDIT.EXE
• SG_4104.EXE
• SGRATE.EXE
• T2.EXE
• TART.EXE
• TCLOADER.EXE
• UPFTRL.EXE
• UPPORT.EXE
• UPPORTER5.EXE
• VC.EXE
• VCHOSTC.EXE
• VCHOSTS.EXE
• VSHOST.EXE
• WEEP95.EXE
• WEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
• YMPROXYSVC.EXE
• YMTRAY.EXE
• YSEDIT.EXE
• YSTEM.EXE
• YSTEM32.EXE
• YSUPD.EXE
• ASKMG.EXE
• ASKMO.EXE
• ASKMON.EXE
• AUMON.EXE
• BSCAN.EXE
• C.EXE
• CA.EXE
• CM.EXE
• DS2-98.EXE
• DS2-NT.EXE
• DS-3.EXE
• EEKIDS.EXE
• FAK.EXE
• FAK5.EXE
• GBOB.EXE
• ITANIN.EXE
• ITANINXP.EXE
• RACERT.EXE
• RICKLER.EXE
• RJSCAN.EXE
• RJSETUP.EXE
• ROJANTRAP3.EXE
• SADBOT.EXE
• VMD.EXE
• VTMD.EXE
• NDOBOOT.EXE
• PDAT.EXE
• PDATE.EXE
• PGRAD.EXE
• TPOST.EXE
• BCMSERV.EXE
• BCONS.EXE
• BUST.EXE
• BWIN9X.EXE
• BWINNTW.EXE
• CSETUP.EXE
• ET32.EXE
• ET95.EXE
• ETTRAY.EXE
• FSETUP.EXE
• IR-HELP.EXE
• IRUSMDPERSONALFIREWALL.EXE
• NLAN300.EXE
• NPC3000.EXE
• PC32.EXE
• PC42.EXE
• PFW30S.EXE
• PTRAY.EXE
• SCAN40.EXE
• SCENU6.02D30.EXE
• SCHED.EXE
• SECOMR.EXE
• SHWIN32.EXE
• SISETUP.EXE
• SMAIN.EXE
• SMON.EXE
• SSTAT.EXE
• SWIN9XE.EXE
• SWINNTSE.EXE
• SWINPERSE.EXE
• 32DSM89.EXE
• 9X.EXE
• ATCHDOG.EXE
• EBDAV.EXE
• EBSCANX.EXE
• EBTRAP.EXE
• FINDV32.EXE
• GFE95.EXE
• HOSWATCHINGME.EXE
• IMMUN32.EXE
• IN32.EXE
• IN32US.EXE
• INACTIVE.EXE
• IN-BUGSFIX.EXE
• INDOW.EXE
• INDOWS.EXE
• ININETD.EXE
• ININIT.EXE
• ININITX.EXE
• INLOGIN.EXE
• INMAIN.EXE
• INNET.EXE
• INPPR32.EXE
• INRECON.EXE
• INSERVN.EXE
• INSSK32.EXE
• INSTART.EXE
• INSTART001.EXE
• INTSK32.EXE
• INUPDATE.EXE
• KUFIND.EXE
• NAD.EXE
• NT.EXE
• RADMIN.EXE
• RCTRL.EXE
• SBGATE.EXE
• UPDATER.EXE
• UPDT.EXE
• YVERNWORKSFIREWALL.EXE
• PF202EN.EXE
• APRO.EXE
• APSETUP3001.EXE
• ATUTOR.EXE
• ONALM2601.EXE
• ZONEALARM.EXE

This worm also attempts to terminate BAGLE and NETSKY malware variants by stopping the following processes:

BBEAGLE.EXE
D3DUPDATE.EXE
I11R54N4.EXE
IRUN4.EXE
RATE.EXE
SSATE.EXE
SSATE.EXE
TASKMON.EXE
WINSYS.EXE

Preventing Access to Antivirus Web Sites

This backdoor is also capable of preventing access to certain antivirus Web sites. It does this by modifying the Windows HOSTS file located in the %System%\Drivers\etc folder by appending a list of Web site addresses that is directed to the loopback address (127.0.0.1).

• avp.com
• ca.com
• customer.symantec.com
• dispatch.mcafee.com
• download.mcafee.com
• f-secure.com
• kaspersky.com
• liveupdate.symantec.com
• liveupdate.symantecliveupdate.com
• mast.mcafee.com
• mcafee.com
• my-etrust.com
• nai.com
• networkassociates.com
• rads.mcafee.com
• secure.nai.com
• securityresponse.symantec.com
• sophos.com
• symantec.com
• trendmicro.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• viruslist.com
• www.avp.com
• www.ca.com
• www.f-secure.com
• www.kaspersky.com
• www.mcafee.com
• www.my-etrust.com
• www.nai.com
• www.networkassociates.com
• www.sophos.com
• www.trendmicro.com
• www.viruslist.com
• www.symantec.com

Analysis By: Stephen M. Mondiguing

Revision History:

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Template / Engine.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as BKDR_AGOBOT.G.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micros free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

1. Open Windows Task Manager.
   On Windows 95, 98, and ME, press
   CTRL+ALT+DELETE
   On Windows NT, 2000, and XP, press
   CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs, locate the malware file(s) detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>Software>Microsoft>
   Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
   Reg Service = NT32.exe
4. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>Software>Microsoft>
   Windows>CurrentVersion>Runservices
5. In the right panel, locate and delete the entry:
   Reg Service = NT32.exe
6. Close Registry Editor.

Cleaning the Windows HOSTS file

This worm adds loopback addresses in your HOSTS file to prevent access to certain antivirus Web sites.

1. Using Notepad, edit the file hosts located in the %System%\drivers\etc folder.
2. Remove lines that contain the following sites:
   avp.com
   ca.com
   customer.symantec.com
   dispatch.mcafee.com
   download.mcafee.com
   f-secure.com
   kaspersky.com
   liveupdate.symantec.com
   liveupdate.symantecliveupdate.com
   mast.mcafee.com
   mcafee.com
   my-etrust.com
   nai.com
   networkassociates.com
   rads.mcafee.com
   secure.nai.com
   securityresponse.symantec.com
   sophos.com
   symantec.com
   trendmicro.com
   update.symantec.com
   updates.symantec.com
   us.mcafee.com
   viruslist.com
   www.avp.com
   www.ca.com
   www.f-secure.com
   www.kaspersky.com
   www.mcafee.com
   www.my-etrust.com
   www.nai.com
   www.networkassociates.com
   www.sophos.com
   www.trendmicro.com
   www.viruslist.com
   www.symantec.com
3. Save the HOSTS file and close Notepad.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_AGOBOT.G. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities on certain platforms. Download and install the critical patches from the following links:

• Microsoft Security Bulletin MS03-007
• Microsoft Security Bulletin MS03-026

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.