3/15: Agobot-QV Worm Hooks to IRC Server
March 15, 2005

W32/Agobot-QV is a network worm with IRC backdoor functionality. W32/Agobot-QV connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:

start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected machine
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
make local drives network-shareable
close down vulnerable services in order to secure the machine
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality

The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.

More information can be found at Sophos page.