Threat Descriptions

Backdoor:W32/Agobot.Q

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

Agobot.Q, Backdoor.Agobot.3.q, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot

Summary

The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.p can be found here:

https://www.europe.f-secure.com/v-descs/agobot_p.shtml

The generic description of Agobot can be found here:

https://www.europe.f-secure.com/v-descs/agobot.shtml

Removal

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

RPC/DCOM (MS03-026, fixed by MS03-039):

https://www.microsoft.com/technet/security/bulletin/MS03-039.asp

RPC/Locator (MS03-001):

https://www.microsoft.com/technet/security/bulletin/MS03-001.asp

WebDAV (MS03-007):

https://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The neccessary patches can be downloaded from the pages above under the "Patch availability" section.

F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

There are some differences between P and Q variants of the backdoor:

The Agobot.q variant copies itself as IEXPLORER.EXE and WINHLPP32.EXE files to an infected system.

Agobot.q has a bit different list of other malware processes that it tries to terminate: 

 tftpd.exe
dllhost.exe
winppr32.exe
mspatch.exe
penis32.exe
msblast.exe
scvhosl.exe