Social Networks Follow us on Twitter Like us on Facebook You Tube Channel
Threat Encyclopedia Mobile Page
Quick Links
  • Save & Share
  • Choose your country:
BKDR_AGOBOT.G

Malware type: Backdoor

Aliases: Backdoor.Win32.Agobot.aaf (Kaspersky), W32/Gaobot.worm.gen.j (McAfee), W32.HLLW.Gaobot.gen (Symantec), Worm/AgoBot.105472.14 (Avira), Mal/Behav-134 (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This backdoor operates as an IRC bot. It comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for commands from a malicious user. It processes the commands on the local machine giving remote users virtual control over the infected system.

It also automatically notifies the bot of systems vulnerable to the following known security holes:

  • IIS5/WEBDAV buffer overrun
  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • RPC Locator vulnerability

For detailed information about these vulnerabilities, refer to the following Microsoft pages:

This backdoor also steals the Windows Product ID, as well as the CD keys of certain game applications. It terminates a list of processes associated with antivirus and firewall applications.

For additional information about this threat, see:

Description created: Mar. 31, 2005 8:11:32 PM GMT -0800


Minimum scan engine version needed: 6.810

Pattern file needed: 2.529.03

Pattern release date: Feb 23, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Template / Engine.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as BKDR_AGOBOT.G.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micros free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95, 98, and ME, press
    CTRL+ALT+DELETE
    On Windows NT, 2000, and XP, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Reg Service = NT32.exe
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Runservices
  5. In the right panel, locate and delete the entry:
    Reg Service = NT32.exe
  6. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system in safe mode.

Cleaning the Windows HOSTS file

This worm adds loopback addresses in your HOSTS file to prevent access to certain antivirus Web sites.

  1. Using Notepad, edit the file hosts located in the %System%\drivers\etc folder.
  2. Remove lines that contain the following sites:
    avp.com
    ca.com
    customer.symantec.com
    dispatch.mcafee.com
    download.mcafee.com
    f-secure.com
    kaspersky.com
    liveupdate.symantec.com
    liveupdate.symantecliveupdate.com
    mast.mcafee.com
    mcafee.com
    my-etrust.com
    nai.com
    networkassociates.com
    rads.mcafee.com
    secure.nai.com
    securityresponse.symantec.com
    sophos.com
    symantec.com
    trendmicro.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    viruslist.com
    www.avp.com
    www.ca.com
    www.f-secure.com
    www.kaspersky.com
    www.mcafee.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.sophos.com
    www.trendmicro.com
    www.viruslist.com
    www.symantec.com
  3. Save the HOSTS file and close Notepad.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_AGOBOT.G. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities on certain platforms. Download and install the critical patches from the following links:




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.