The Agobot.q variant was reported by several customers in the middle of October 2003. This backdoor is a minor variant of Agobot.p, so it has very similar features. The description of Agobot.p can be found here:
https://www.europe.f-secure.com/v-descs/agobot_p.shtml
The generic description of Agobot can be found here:
The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.
Detailed information and patches are available from the following pages:
RPC/DCOM (MS03-026, fixed by MS03-039):
https://www.microsoft.com/technet/security/bulletin/MS03-039.asp
RPC/Locator (MS03-001):
https://www.microsoft.com/technet/security/bulletin/MS03-001.asp
WebDAV (MS03-007):
https://www.microsoft.com/technet/security/bulletin/MS03-007.asp
The neccessary patches can be downloaded from the pages above under the "Patch availability" section.
F-Secure Anti-Virus with the latest updates can detect and delete the Agobot infected files.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
There are some differences between P and Q variants of the backdoor:
The Agobot.q variant copies itself as IEXPLORER.EXE and WINHLPP32.EXE files to an infected system.
Agobot.q has a bit different list of other malware processes that it tries to terminate:
tftpd.exe dllhost.exe winppr32.exe mspatch.exe penis32.exe msblast.exe scvhosl.exe
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Community
Ask questions in our Community .
User Guides
Check the user guide for instructions.
Submit a Sample
Submit a file or URL for analysis.