Backdoor.Win32.Agobot

Detect Date 02/09/2005
Class Backdoor
Platform Win32
Description

This is a classical backdoor and allows a ‘master’ to control the victim machine remotely by sending commands via IRC channels.

Installation

Agobot copies itself into the Windows directory under random names and then registers itself in the system registry auto-run keys:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]



[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]

Manifestations

Agobot connects to various IRC servers opening channels identified in the body of the worm. It is then ready to receive commands from the ‘master’, who can now download and launch files on the victim machine, scan other computers for vulnerabilities and install itself on these vulnerable machines.