Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Agobot-EE

Mar 17, 2004 11:27PM PST

Aliases
Backdoor.Agobot.3.gen, W32/Gaobot.worm.gen.d, Win32/Agobot.3.LI, W32.HLLW.Gaobot.gen, WORM_AGOBOT.UZ

Type
Win32 worm

Description
W32/Agobot-EE is an IRC backdoor Trojan and network worm.
W32/Agobot-EE is capable of spreading to computers on the local network protected by weak passwords.

When first run, W32/Agobot-EE copies itself to the Windows system folder as ccApp32.exe and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec Configuration Loader = ccApp32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Symantec Configuration Loader = ccApp32.exe

On NT-based versions of Windows the worm creates a new service with a display name of "Symantec Configuration Loader" and a startup property set to automatic, so that the service starts automatically each time Windows is started.


More: http://www.sophos.com/virusinfo/analyses/w32agobotee.html

Discussion is locked