The Web    Google
6/28: Agobot-KE Exploits Weak Passwords

6/28: Agobot-KE Exploits Weak Passwords
June 28, 2004

W32/Agobot-KE is a backdoor Trojan and worm that spreads to computers protected by weak passwords. When first run, W32/Agobot-KE moves itself to the Windows system folder as VDISP.EXE and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Display
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video Display

Each time W32/Agobot-KE is run it attempts to connect to a remote IRC server and join a specific channel. It then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus web sites to the loopback address in an attempt to prevent access to these sites. Typically, certain mappings will be appended to the HOSTS file.

View them and other information at Sophos page.

  • 3/4; PWSteal.Bankash-B Trojan Steals Info
  • 4/15: Kelvir-J an IM Worm
  • 9/7: Blueworm-D a Memory-Resident Worm
  • 12/13: Janx Worm Exploits Windows Flaw
  • 5/20: Mytob-EU Worm Drops Copy
  • 10/12: Bagle-AC Worm Sends Fake Message
  • Navy Disciplines Midshipmen Pirates
  • Cobalt RaQ 4 Security Flaw Detected
  • Microsoft Battles Debugger Flaw, SQL Worm
  • 1/12: Kobot-B Worm Uses 3 Windows Flaws
  • 7/30: Tompai-A Has Backdoor Functionality
  • Computer security background information