From; Sophos Alert System: Name: W32/Agobot-QF Aliases: W32/Gaobot, Nortonbot, Phatbot, Polybot. Type: Win32 worm Date: 21 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. Sophos has received several reports of this worm from the wild. Information about W32/Agobot-QF can be found at: http://www.sophos.com/virusinfo/analyses/w32agobotqf.html Description W32/Agobot-QF is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine. This worm will move itself into the Windows System32 folder under the filename EXPLORED.EXE and may create the following registry entries so that it can execute automatically on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Login = explored.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Windows Login = explored.exe This worm will also attempt to glean email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment. W32/Agobot-QF will attempt to terminate anti-virus and software firewall processes, in addition to other viruses, worms or Trojans. For example: '_AVPM.EXE' '_AVPCC.EXE' '_AVP32.EXE' 'ZONEALARM.EXE' 'ZONALM2601.EXE' 'ZATUTOR.EXE' 'ZAPSETUP3001.EXE' 'ZAPRO.EXE' 'XPF202EN.EXE' 'WYVERNWORKSFIREWALL.EXE' 'WUPDT.EXE' 'WUPDATER.EXE' 'WSBGATE.EXE' 'WRCTRL.EXE' 'WRADMIN.EXE' 'WNT.EXE' 'WNAD.EXE' 'WKUFIND.EXE' 'WINUPDATE.EXE' 'WINTSK32.EXE' 'WINSTART001.EXE' 'WINSTART.EXE' 'WINSSK32.EXE' 'WINSERVN.EXE' 'WINRECON.EXE' 'WINPPR32.EXE' 'WINNET.EXE' 'WINMAIN.EXE' 'WINLOGIN.EXE' 'WININITX.EXE' 'WININIT.EXE' 'WININETD.EXE' 'WINDOWS.EXE' 'WINDOW.EXE' 'WINACTIVE.EXE' 'WIN32US.EXE' 'WIN32.EXE' 'WIN-BUGSFIX.EXE' 'WIMMUN32.EXE' 'WHOSWATCHINGME.EXE' 'WGFE95.EXE' 'WFINDV32.EXE' 'WEBTRAP.EXE' 'WEBSCANX.EXE' 'WEBDAV.EXE' 'WATCHDOG.EXE' 'W9X.EXE' 'W32DSM89.EXE' 'VSWINPERSE.EXE' 'VSWINNTSE.EXE' 'VSWIN9XE.EXE' 'VSSTAT.EXE' 'VSMON.EXE' 'VSMAIN.EXE' 'VSISETUP.EXE' 'VSHWIN32.EXE' 'VSECOMR.EXE' 'VSCHED.EXE' 'VSCENU6.02D30.EXE' 'VSCAN40.EXE' 'VPTRAY.EXE' 'VPFW30S.EXE' 'VPC42.EXE' 'VPC32.EXE' 'VNPC3000.EXE' 'VNLAN300.EXE' 'VIRUSMDPERSONALFIREWALL.EXE' 'VIR-HELP.EXE' 'VFSETUP.EXE' 'VETTRAY.EXE' 'VET95.EXE' 'VET32.EXE' 'VCSETUP.EXE' 'VBWINNTW.EXE' 'VBWIN9X.EXE' 'VBUST.EXE' 'VBCONS.EXE' 'VBCMSERV.EXE' 'UTPOST.EXE' 'UPGRAD.EXE' 'UPDAT.EXE' 'UNDOBOOT.EXE' 'TVTMD.EXE' 'TVMD.EXE' 'TSADBOT.EXE' 'TROJANTRAP3.EXE' 'TRJSETUP.EXE' 'TRJSCAN.EXE' 'TRICKLER.EXE' 'TRACERT.EXE' 'TITANINXP.EXE' 'TITANIN.EXE' 'TGBOB.EXE' 'TFAK5.EXE' 'TFAK.EXE' 'TEEKIDS.EXE' 'TDS2-NT.EXE' 'TDS2-98.EXE' 'TDS-3.EXE' 'TCM.EXE' 'TCA.EXE' 'TC.EXE' 'TBSCAN.EXE' 'TAUMON.EXE' 'TASKMON.EXE' 'TASKMO.EXE' 'TASKMG.EXE' 'SYSUPD.EXE' 'SYSTEM32.EXE' 'SYSTEM.EXE' 'SYSEDIT.EXE' 'SYMTRAY.EXE' 'SYMPROXYSVC.EXE' 'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE' 'SWEEP95.EXE' 'SVSHOST.EXE' 'SVCHOSTS.EXE' 'SVCHOSTC.EXE' 'SVC.EXE' 'SUPPORTER5.EXE' 'SUPPORT.EXE' 'SUPFTRL.EXE' 'STCLOADER.EXE' 'START.EXE' 'ST2.EXE' 'SSGRATE.EXE' 'SS3EDIT.EXE' 'SRNG.EXE' 'SREXE.EXE' 'SPYXX.EXE' 'SPOOLSV32.EXE' 'SPOOLCV.EXE' 'SPOLER.EXE' 'SPHINX.EXE' 'SPF.EXE' 'SPERM.EXE' 'SOFI.EXE' 'SOAP.EXE' 'SMSS32.EXE' 'SMS.EXE' 'SMC.EXE' 'SHOWBEHIND.EXE' 'SHN.EXE' 'UPDATE.EXE' 'SHELLSPYINSTALL.EXE' 'SH.EXE' 'SGSSFW32.EXE' 'SFC.EXE' 'SETUP_FLOWPROTECTOR_US.EXE' 'SETUPVAMEEVAL.EXE' 'SERVLCES.EXE' 'SERVLCE.EXE' 'SERVICE.EXE' 'SERV95.EXE' 'SD.EXE' 'SCVHOST.EXE' 'SCRSVR.EXE' 'SCRSCAN.EXE' 'SCANPM.EXE' 'SCAN95.EXE' 'SCAN32.EXE' 'SCAM32.EXE' 'SC.EXE' 'SBSERV.EXE' 'SAVENOW.EXE' 'SAVE.EXE' 'SAHAGENT.EXE' 'SAFEWEB.EXE' 'RUXDLL32.EXE' 'RUNDLL16.EXE' 'RUNDLL.EXE' 'RUN32DLL.EXE' 'RULAUNCH.EXE' 'RTVSCN95.EXE' 'RTVSCAN.EXE' 'RSHELL.EXE' 'RRGUARD.EXE' 'RESCUE32.EXE' 'RESCUE.EXE' 'REGEDT32.EXE' 'REGEDIT.EXE' 'REGED.EXE' 'REALMON.EXE' 'RCSYNC.EXE' 'RB32.EXE' 'RAY.EXE' 'RAV8WIN32ENG.EXE' 'RAV7WIN.EXE' 'RAV7.EXE' 'RAPAPP.EXE' 'QSERVER.EXE' 'QCONSOLE.EXE' 'PVIEW95.EXE' 'PUSSY.EXE' 'PURGE.EXE' 'PSPF.EXE' 'PROTECTX.EXE' 'PROPORT.EXE' 'PROGRAMAUDITOR.EXE' 'PROCEXPLORERV1.0.EXE' 'PROCESSMONITOR.EXE' 'PROCDUMP.EXE' 'PRMVR.EXE' 'PRMT.EXE' 'PRIZESURFER.EXE' 'PPVSTOP.EXE' 'PPTBC.EXE' 'PPINUPDT.EXE' 'POWERSCAN.EXE' 'PORTMONITOR.EXE' 'PORTDETECTIVE.EXE' 'POPSCAN.EXE' 'POPROXY.EXE' 'POP3TRAP.EXE' 'PLATIN.EXE' 'PINGSCAN.EXE' 'PGMONITR.EXE' 'PFWADMIN.EXE' 'PF2.EXE' 'PERSWF.EXE' 'PERSFW.EXE' 'PERISCOPE.EXE' 'PENIS.EXE' 'PDSETUP.EXE' 'PCSCAN.EXE' 'PCFWALLICON.EXE' 'PCDSETUP.EXE' 'PCCWIN98.EXE' 'PCCWIN97.EXE' 'PCCNTMON.EXE' 'PCCIOMON.EXE' 'PAVW.EXE' 'PAVSCHED.EXE' 'PAVPROXY.EXE' 'PAVCL.EXE' 'PATCH.EXE' 'PANIXK.EXE' 'PADMIN.EXE' 'OUTPOSTPROINSTALL.EXE' 'OUTPOSTINSTALL.EXE' 'OTFIX.EXE' 'OSTRONET.EXE' 'OPTIMIZE.EXE' 'ONSRVR.EXE' 'OLLYDBG.EXE' 'NWTOOL16.EXE' 'NWSERVICE.EXE' 'NWINST4.EXE' 'NVSVC32.EXE' 'NVC95.EXE' 'NVARCH16.EXE' 'NUI.EXE' 'NTXconfig.EXE' 'NTVDM.EXE' 'NTRTSCAN.EXE' 'NT.EXE' 'NSUPDATE.EXE' 'NSTASK32.EXE' 'NSSYS32.EXE' 'NSCHED32.EXE' 'NPSSVC.EXE' 'NPSCHECK.EXE' 'NPROTECT.EXE' 'NPFMESSENGER.EXE' 'NPF40_TW_98_NT_ME_2K.EXE' 'NOTSTART.EXE' 'NORTON_INTERNET_SECU_3.0_407.EXE' 'NORMIST.EXE' 'NOD32.EXE' 'NMAIN.EXE' 'NISUM.EXE' 'NISSERV.EXE' 'NETUTILS.EXE' 'NETSTAT.EXE' 'NETSPYHUNTER-1.2.EXE' 'NETSCANPRO.EXE' 'NETMON.EXE' 'NETINFO.EXE' 'NETD32.EXE' 'NETARMOR.EXE' 'NEOWATCHLOG.EXE' 'NEOMONITOR.EXE' 'NDD32.EXE' 'NCINST4.EXE' 'NAVWNT.EXE' 'NAVW32.EXE' 'NAVSTUB.EXE' 'NAVNT.EXE' 'NAVLU32.EXE' 'NAVENGNAVEX15.NAVLU32.EXE' 'NAVDX.EXE' 'NAVAPW32.EXE' 'NAVAPSVC.EXE' 'NAVAP.NAVAPSVC.EXE' 'AUTO-PROTECT.NAV80TRY.EXE' 'NAV.EXE' 'OUTPOST.EXE' 'NUPGRADE.EXE' 'N32SCANW.EXE' 'MWATCH.EXE' 'MU0311AD.EXE' 'MSVXD.EXE' 'MSSYS.EXE' 'MSSMMC32.EXE' 'MSMSGRI32.EXE' 'MSMGT.EXE' 'MSLAUGH.EXE' 'MSINFO32.EXE' 'MSIEXEC16.EXE' 'MSDOS.EXE' 'MSDM.EXE' 'MSCONFIG.EXE' 'MSCMAN.EXE' 'MSCCN32.EXE' 'MSCACHE.EXE' 'MSBLAST.EXE' 'MSBB.EXE' 'MSAPP.EXE' 'MRFLUX.EXE' 'MPFTRAY.EXE' 'MPFSERVICE.EXE' 'MPFAGENT.EXE' 'MOSTAT.EXE' 'MOOLIVE.EXE' 'MONITOR.EXE' 'MMOD.EXE' 'MINILOG.EXE' 'MGUI.EXE' 'MGHTML.EXE' 'MGAVRTE.EXE' 'MGAVRTCL.EXE' 'MFWENG3.02D30.EXE' 'MFW2EN.EXE' 'MFIN32.EXE' 'MD.EXE' 'MCVSSHLD.EXE' 'MCVSRTE.EXE' 'MCTOOL.EXE' 'MCSHIELD.EXE' 'MCMNHDLR.EXE' 'MCAGENT.EXE' 'MAPISVC32.EXE' 'LUSPT.EXE' 'LUINIT.EXE' 'LUCOMSERVER.EXE' 'LUAU.EXE' 'LSETUP.EXE' 'LORDPE.EXE' 'LOOKOUT.EXE' 'LOCKDOWN2000.EXE' 'LOCKDOWN.EXE' 'LOCALNET.EXE' 'LOADER.EXE' 'LNETINFO.EXE' 'LDSCAN.EXE' 'LDPROMENU.EXE' 'LDPRO.EXE' 'LDNETMON.EXE' 'LAUNCHER.EXE' 'KILLPROCESSSETUP161.EXE' 'KERNEL32.EXE' 'KERIO-WRP-421-EN-WIN.EXE' 'KERIO-WRL-421-EN-WIN.EXE' 'KERIO-PF-213-EN-WIN.EXE' 'KEENVALUE.EXE' 'KAZZA.EXE' 'KAVPF.EXE' 'KAVPERS40ENG.EXE' 'KAVLITE40ENG.EXE' 'JEDI.EXE' 'JDBGMRG.EXE' 'JAMMER.EXE' 'ISTSVC.EXE' 'MCUPDATE.EXE' 'LUALL.EXE' 'ISRV95.EXE' 'ISASS.EXE' 'IRIS.EXE' 'IPARMOR.EXE' 'IOMON98.EXE' 'INTREN.EXE' 'INTDEL.EXE' 'INIT.EXE' 'INFWIN.EXE' 'INFUS.EXE' 'INETLNFO.EXE' 'IFW2000.EXE' 'IFACE.EXE' 'IEXPLORER.EXE' 'IEDRIVER.EXE' 'IEDLL.EXE' 'IDLE.EXE' 'ICSUPPNT.EXE' 'ICMON.EXE' 'ICLOADNT.EXE' 'ICLOAD95.EXE' 'IBMAVSP.EXE' 'IBMASN.EXE' 'IAMSTATS.EXE' 'IAMSERV.EXE' 'IAMAPP.EXE' 'HXIUL.EXE' 'HXDL.EXE' 'HWPE.EXE' 'HTPATCH.EXE' 'HTLOG.EXE' 'HOTPATCH.EXE' 'HOTACTIO.EXE' 'HBSRV.EXE' 'HBINST.EXE' 'HACKTRACERSETUP.EXE' 'GUARDDOG.EXE' 'GUARD.EXE' 'GMT.EXE' 'GENERICS.EXE' 'GBPOLL.EXE' 'GBMENU.EXE' 'GATOR.EXE' 'FSMB32.EXE' 'FSMA32.EXE' 'FSM32.EXE' 'FSGK32.EXE' 'FSAV95.EXE' 'FSAV530WTBYB.EXE' 'FSAV530STBYB.EXE' 'FSAV32.EXE' 'FSAV.EXE' 'FSAA.EXE' 'FRW.EXE' 'FPROT.EXE' 'FP-WIN_TRIAL.EXE' 'FP-WIN.EXE' 'FNRB32.EXE' 'FLOWPROTECTOR.EXE' 'FIREWALL.EXE' 'FINDVIRU.EXE' 'FIH32.EXE' 'FCH32.EXE' 'FAST.EXE' 'FAMEH32.EXE' 'F-STOPW.EXE' 'F-PROT95.EXE' 'F-PROT.EXE' 'F-AGNT95.EXE' 'EXPLORE.EXE' 'EXPERT.EXE' 'EXE.AVXW.EXE' 'EXANTIVIRUS-CNET.EXE' 'EVPN.EXE' 'ETRUSTCIPE.EXE' 'ETHEREAL.EXE' 'ESPWATCH.EXE' 'ESCANV95.EXE' 'ICSUPP95.EXE' 'ESCANHNT.EXE' 'ESCANH95.EXE' 'ESAFE.EXE' 'ENT.EXE' 'EMSW.EXE' 'EFPEADM.EXE' 'ECENGINE.EXE' 'DVP95_0.EXE' 'DVP95.EXE' 'DSSAGENT.EXE' 'DRWEBUPW.EXE' 'DRWEB32.EXE' 'DRWATSON.EXE' 'DPPS2.EXE' 'DPFSETUP.EXE' 'DPF.EXE' 'DOORS.EXE' 'DLLREG.EXE' 'DLLCACHE.EXE' 'DIVX.EXE' 'DEPUTY.EXE' 'DEFWATCH.EXE' 'DEFSCANGUI.EXE' 'DEFALERT.EXE' 'DCOMX.EXE' 'DATEMANAGER.EXE' 'Claw95.EXE' 'CWNTDWMO.EXE' 'CWNB181.EXE' 'CV.EXE' 'CTRL.EXE' 'CPFNT206.EXE' 'CPF9X206.EXE' 'CPD.EXE' 'CONNECTIONMONITOR.EXE' 'CMON016.EXE' 'CMGRDIAN.EXE' 'CMESYS.EXE' 'CMD32.EXE' 'CLICK.EXE' 'CLEANPC.EXE' 'CLEANER3.EXE' 'CLEANER.EXE' 'CLEAN.EXE' 'CFINET32.EXE' 'CFINET.EXE' 'CFIADMIN.EXE' 'CFGWIZ.EXE' 'CFD.EXE' 'CDP.EXE' 'CCPXYSVC.EXE' 'CCEVTMGR.EXE' 'CCAPP.EXE' 'BVT.EXE' 'BUNDLE.EXE' 'BS120.EXE' 'BRASIL.EXE' 'BPC.EXE' 'BORG2.EXE' 'BOOTWARN.EXE' 'BOOTCONF.EXE' 'BLSS.EXE' 'BLACKICE.EXE' 'BLACKD.EXE' 'BISP.EXE' 'BIPCPEVALSETUP.EXE' 'BIPCP.EXE' 'BIDSERVER.EXE' 'BIDEF.EXE' 'BELT.EXE' 'BEAGLE.EXE' 'BD_PROFESSIONAL.EXE' 'BARGAINS.EXE' 'BACKWEB.EXE' 'CLAW95CF.EXE' 'CFIAUDIT.EXE' 'AVXMONITORNT.EXE' 'AVXMONITOR9X.EXE' 'AVWUPSRV.EXE' 'AVWUPD.EXE' 'AVWINNT.EXE' 'AVWIN95.EXE' 'AVSYNMGR.EXE' 'AVSCHED32.EXE' 'AVPTC32.EXE' 'AVPM.EXE' 'AVPDOS32.EXE' 'AVPCC.EXE' 'AVP32.EXE' 'AVP.EXE' 'AVNT.EXE' 'AVLTMAIN.EXE' 'AVKWCTl9.EXE' 'AVKSERVICE.EXE' 'AVKSERV.EXE' 'AVKPOP.EXE' 'AVGW.EXE' 'AVGUARD.EXE' 'AVGSERV9.EXE' 'AVGSERV.EXE' 'AVGNT.EXE' 'AVGCTRL.EXE' 'AVGCC32.EXE' 'AVE32.EXE' 'AVCONSOL.EXE' 'AU.EXE' 'ATWATCH.EXE' 'ATRO55EN.EXE' 'ATGUARD.EXE' 'ATCON.EXE' 'ARR.EXE' 'APVXDWIN.EXE' 'APLICA32.EXE' 'APIMONITOR.EXE' 'ANTS.EXE' 'ANTIVIRUS.EXE' 'ANTI-TROJAN.EXE' 'AMON9X.EXE' 'ALOGSERV.EXE' 'ALEVIR.EXE' 'ALERTSVC.EXE' 'AGENTW.EXE' 'AGENTSVR.EXE' 'ADVXDWIN.EXE' 'ADAWARE.EXE' 'AVXQUAR.EXE' 'ACKWIN32.EXE' 'AVWUPD32.EXE' 'AVPUPD.EXE' 'AUTOUPDATE.EXE' 'AUTOTRACE.EXE' 'AUTODOWN.EXE' 'AUPDATE.EXE' 'ATUPDATER.EXE' This worm will search for shared folders on the internet with weak passwords and copy itself into them. A text file named HOSTS may also be dropped into C:\<Windows System32>\drivers\etc which may contain a list of anti-virus and other security related websites each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites. For example: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com W32/Agobot-QF can sniff HTTP, ICMP, FTP, VULN and IRC network traffic and steal data from them. The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys: Remote Procedure Call (RPC) vulnerability Distributed Component Object Model (DCOM) vulnerability RPC Locator vulnerability IIS5/WEBDAV Buffer Overflow vulnerability For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages: Microsoft Security Bulletin MS03-001 Microsoft Security Bulletin MS03-007 Microsoft Security Bulletin MS03-026 W32/Agobot-QF can also polymorph on installation in order to evade detection and share/delete the admin$, ipc$ etc drives. It can also test the available bandwidth by attempting to GET or POST data to the following websites: 'yahoo.co.jp' 'www.nifty.com' 'www.d1asia.com' 'www.st.lib.keio.ac.jp' 'www.lib.nthu.edu.tw' 'www.above.net' 'www.level3.com' 'nitro.ucsc.edu' 'www.burst.net' 'www.cogentco.com' 'www.rit.edu' 'www.nocster.com' 'www.verio.com' 'www.stanford.edu' 'www.xo.net' 'de.yahoo.com' 'www.belwue.de' 'www.switch.ch' 'www.1und1.de' 'verio.fr' 'www.utwente.nl' 'www.schlund.net' W32/Agobot-QF can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood/httpflood/fraggle/smurf etc attacks against remote systems. This worm can steal the Windows Product ID and keys from several computer applications or games including: AOL Instant Messenger Battlefield 1942 Battlefield 1942: Secret Weapons Of WWII Battlefield 1942: The Road To Rome Battlefield 1942: Vietnam Black and White Call of Duty Command and Conquer: Generals Command and Conquer: Generals: Zero Hour Command and Conquer: Red Alert2 Command and Conquer: Tiberian Sun Counter-Strike FIFA 2002 FIFA 2003 Freedom Force Global Operations Gunman Chronicles Half-Life Hidden and Dangerous 2 Industry Giant 2 IGI2: Covert Strike James Bond 007: Nightfire Medal of Honor: Allied Assault Medal of Honor: Allied Assault: Breakthrough Medal of Honor: Allied Assault: Spearhead Nascar Racing 2002 Nascar Racing 2003 NHL 2002 NHL 2003 Need For Speed: Hot Pursuit 2 Need For Speed: Underground Neverwinter Nights Ravenshield Shogun Total War - Warlord Edition Soldiers Of Anarchy Soldier of Fortune II - Double Helix The Gladiators Unreal Tournament 2003 Unreal Tournament 2004 Windows Messenger W32/Agobot-QF will delete all files named 'sound*.*' and the resident process will be very difficult to terminate. Recovery Please follow the instructions for removing worms This IDE file also includes detection for: W32/Agobot-NI http://www.sophos.com/virusinfo/analyses/w32agobotni.html W32/Agobot-NJ http://www.sophos.com/virusinfo/analyses/w32agobotnj.html W32/Sdbot-BD http://www.sophos.com/virusinfo/analyses/w32sdbotbd.html Troj/Konodap-A http://www.sophos.com/virusinfo/analyses/trojkonodapa.html W32/Spybot-BX http://www.sophos.com/virusinfo/analyses/w32spybotbx.html W32/Agobot-EY http://www.sophos.com/virusinfo/analyses/w32agobotey.html Troj/IRCBot-W http://www.sophos.com/virusinfo/analyses/trojircbotw.html Troj/Dumaru-X http://www.sophos.com/virusinfo/analyses/trojdumarux.html Troj/Ranck-N http://www.sophos.com/virusinfo/analyses/trojranckn.html Download the IDE file from: http://www.sophos.com/downloads/ide/agobotqf.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member