The Web    Google
6/28: Agobot-KE Exploits Weak Passwords

6/28: Agobot-KE Exploits Weak Passwords
June 28, 2004

W32/Agobot-KE is a backdoor Trojan and worm that spreads to computers protected by weak passwords. When first run, W32/Agobot-KE moves itself to the Windows system folder as VDISP.EXE and creates the following registry entries to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Video Display
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video Display

Each time W32/Agobot-KE is run it attempts to connect to a remote IRC server and join a specific channel. It then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus web sites to the loopback address in an attempt to prevent access to these sites. Typically, certain mappings will be appended to the HOSTS file.

View them and other information at Sophos page.

  • 6/2: Korgo-F Threat Level Heightened
  • Sun, Partners Develop Security Appliances
  • 1/10: Gaobot.CKP Worm Lets Hackers In
  • Phishing Grows with Holiday Shopping Spike
  • Securiant Aims Appliance at Small, Medium Businesses
  • 9/8: Downloader-PG Brings in Trojan
  • 12/17: Forbot-DA Worm Targets Flaws
  • For Win Wonks, Software Restriction is Good Policy
  • 3/21: Sumon-C an IM and P2P Worm
  • For Win Wonks, Software Restriction is Good Policy
  • This Python Really Eats Bugs
  • Security Camera Articles