6/28: Agobot-KE Exploits Weak Passwords
June 28, 2004

W32/Agobot-KE is a backdoor Trojan and worm that spreads to computers protected by weak passwords. When first run, W32/Agobot-KE moves itself to the Windows system folder as VDISP.EXE and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Display
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video Display

Each time W32/Agobot-KE is run it attempts to connect to a remote IRC server and join a specific channel. It then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus web sites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically, certain mappings will be appended to the HOSTS file.

View them and other information at Sophos page.