The Web    Google
1/11: Agobot-OV Worm Connects to IRC Server

1/11: Agobot-OV Worm Connects to IRC Server
January 11, 2005

W32/Agobot-OV is a network worm with IRC backdoor functionality. Once installed, W32/Agobot-OV connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:

start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected machine
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
make local drives network-shareable
close down vulnerable services in order to secure the machine
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality

The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.

W32/Agobot-OV adds (loopback) entries to the Windows HOSTS file in order to prevent access to the security-related websites.

More information can be found at Sophos page.

  • 9/22: Agobot-XJ Worm Exploits Mic Flaws
  • 8/23: W64.Shruggle.1318 Infects PE Files
  • 9/3: Worm Ends Antivirus Processes
  • 1/24: Worm_Agobot-AGK Exploits Windows Flaws
  • Check Point Adds Application Protection To Firewall
  • Citadel's Latest Automates W2K3 Vulnerability Remediation
  • 3/8: SymbOS/Commwarrior-A Hits Nokia
  • 9/15: Forbot-C Spreads to Remote Shares
  • Group Revises Anti-Piracy License Terms
  • 4/4: VBS.Kuullio Worm Sends Emails
  • 7/19: Rbot-DX Spreads to Remote Shares
  • Security Camera Companies and products