[virusinfo] Sophos Anti-Virus IDE alert: W32/Agobot-QF
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 21 Apr 2004 08:13:49 -0700
From; Sophos Alert System:
Name: W32/Agobot-QF
Aliases: W32/Gaobot, Nortonbot, Phatbot, Polybot.
Type: Win32 worm
Date: 21 April 2004
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any
of the Sophos small business solutions will be automatically
protected at their next scheduled update.
Sophos has received several reports of this worm from the wild.
Information about W32/Agobot-QF can be found at:
http://www.sophos.com/virusinfo/analyses/w32agobotqf.html
Description
W32/Agobot-QF is an IRC backdoor Trojan and network worm which establishes
an IRC channel to a remote server in order to grant an intruder access to
the compromised machine.
This worm will move itself into the Windows System32 folder under the
filename EXPLORED.EXE and may create the following registry entries so that
it can execute automatically on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Login = explored.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Login = explored.exe
This worm will also attempt to glean email addresses from the Windows
Address Book and send itself to these email addresses using its own SMTP
engine with itself included as an executable attachment.
W32/Agobot-QF will attempt to terminate anti-virus and software firewall
processes, in addition to other viruses, worms or Trojans.
For example:
'_AVPM.EXE'
'_AVPCC.EXE'
'_AVP32.EXE'
'ZONEALARM.EXE'
'ZONALM2601.EXE'
'ZATUTOR.EXE'
'ZAPSETUP3001.EXE'
'ZAPRO.EXE'
'XPF202EN.EXE'
'WYVERNWORKSFIREWALL.EXE'
'WUPDT.EXE'
'WUPDATER.EXE'
'WSBGATE.EXE'
'WRCTRL.EXE'
'WRADMIN.EXE'
'WNT.EXE'
'WNAD.EXE'
'WKUFIND.EXE'
'WINUPDATE.EXE'
'WINTSK32.EXE'
'WINSTART001.EXE'
'WINSTART.EXE'
'WINSSK32.EXE'
'WINSERVN.EXE'
'WINRECON.EXE'
'WINPPR32.EXE'
'WINNET.EXE'
'WINMAIN.EXE'
'WINLOGIN.EXE'
'WININITX.EXE'
'WININIT.EXE'
'WININETD.EXE'
'WINDOWS.EXE'
'WINDOW.EXE'
'WINACTIVE.EXE'
'WIN32US.EXE'
'WIN32.EXE'
'WIN-BUGSFIX.EXE'
'WIMMUN32.EXE'
'WHOSWATCHINGME.EXE'
'WGFE95.EXE'
'WFINDV32.EXE'
'WEBTRAP.EXE'
'WEBSCANX.EXE'
'WEBDAV.EXE'
'WATCHDOG.EXE'
'W9X.EXE'
'W32DSM89.EXE'
'VSWINPERSE.EXE'
'VSWINNTSE.EXE'
'VSWIN9XE.EXE'
'VSSTAT.EXE'
'VSMON.EXE'
'VSMAIN.EXE'
'VSISETUP.EXE'
'VSHWIN32.EXE'
'VSECOMR.EXE'
'VSCHED.EXE'
'VSCENU6.02D30.EXE'
'VSCAN40.EXE'
'VPTRAY.EXE'
'VPFW30S.EXE'
'VPC42.EXE'
'VPC32.EXE'
'VNPC3000.EXE'
'VNLAN300.EXE'
'VIRUSMDPERSONALFIREWALL.EXE'
'VIR-HELP.EXE'
'VFSETUP.EXE'
'VETTRAY.EXE'
'VET95.EXE'
'VET32.EXE'
'VCSETUP.EXE'
'VBWINNTW.EXE'
'VBWIN9X.EXE'
'VBUST.EXE'
'VBCONS.EXE'
'VBCMSERV.EXE'
'UTPOST.EXE'
'UPGRAD.EXE'
'UPDAT.EXE'
'UNDOBOOT.EXE'
'TVTMD.EXE'
'TVMD.EXE'
'TSADBOT.EXE'
'TROJANTRAP3.EXE'
'TRJSETUP.EXE'
'TRJSCAN.EXE'
'TRICKLER.EXE'
'TRACERT.EXE'
'TITANINXP.EXE'
'TITANIN.EXE'
'TGBOB.EXE'
'TFAK5.EXE'
'TFAK.EXE'
'TEEKIDS.EXE'
'TDS2-NT.EXE'
'TDS2-98.EXE'
'TDS-3.EXE'
'TCM.EXE'
'TCA.EXE'
'TC.EXE'
'TBSCAN.EXE'
'TAUMON.EXE'
'TASKMON.EXE'
'TASKMO.EXE'
'TASKMG.EXE'
'SYSUPD.EXE'
'SYSTEM32.EXE'
'SYSTEM.EXE'
'SYSEDIT.EXE'
'SYMTRAY.EXE'
'SYMPROXYSVC.EXE'
'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE'
'SWEEP95.EXE'
'SVSHOST.EXE'
'SVCHOSTS.EXE'
'SVCHOSTC.EXE'
'SVC.EXE'
'SUPPORTER5.EXE'
'SUPPORT.EXE'
'SUPFTRL.EXE'
'STCLOADER.EXE'
'START.EXE'
'ST2.EXE'
'SSGRATE.EXE'
'SS3EDIT.EXE'
'SRNG.EXE'
'SREXE.EXE'
'SPYXX.EXE'
'SPOOLSV32.EXE'
'SPOOLCV.EXE'
'SPOLER.EXE'
'SPHINX.EXE'
'SPF.EXE'
'SPERM.EXE'
'SOFI.EXE'
'SOAP.EXE'
'SMSS32.EXE'
'SMS.EXE'
'SMC.EXE'
'SHOWBEHIND.EXE'
'SHN.EXE'
'UPDATE.EXE'
'SHELLSPYINSTALL.EXE'
'SH.EXE'
'SGSSFW32.EXE'
'SFC.EXE'
'SETUP_FLOWPROTECTOR_US.EXE'
'SETUPVAMEEVAL.EXE'
'SERVLCES.EXE'
'SERVLCE.EXE'
'SERVICE.EXE'
'SERV95.EXE'
'SD.EXE'
'SCVHOST.EXE'
'SCRSVR.EXE'
'SCRSCAN.EXE'
'SCANPM.EXE'
'SCAN95.EXE'
'SCAN32.EXE'
'SCAM32.EXE'
'SC.EXE'
'SBSERV.EXE'
'SAVENOW.EXE'
'SAVE.EXE'
'SAHAGENT.EXE'
'SAFEWEB.EXE'
'RUXDLL32.EXE'
'RUNDLL16.EXE'
'RUNDLL.EXE'
'RUN32DLL.EXE'
'RULAUNCH.EXE'
'RTVSCN95.EXE'
'RTVSCAN.EXE'
'RSHELL.EXE'
'RRGUARD.EXE'
'RESCUE32.EXE'
'RESCUE.EXE'
'REGEDT32.EXE'
'REGEDIT.EXE'
'REGED.EXE'
'REALMON.EXE'
'RCSYNC.EXE'
'RB32.EXE'
'RAY.EXE'
'RAV8WIN32ENG.EXE'
'RAV7WIN.EXE'
'RAV7.EXE'
'RAPAPP.EXE'
'QSERVER.EXE'
'QCONSOLE.EXE'
'PVIEW95.EXE'
'PUSSY.EXE'
'PURGE.EXE'
'PSPF.EXE'
'PROTECTX.EXE'
'PROPORT.EXE'
'PROGRAMAUDITOR.EXE'
'PROCEXPLORERV1.0.EXE'
'PROCESSMONITOR.EXE'
'PROCDUMP.EXE'
'PRMVR.EXE'
'PRMT.EXE'
'PRIZESURFER.EXE'
'PPVSTOP.EXE'
'PPTBC.EXE'
'PPINUPDT.EXE'
'POWERSCAN.EXE'
'PORTMONITOR.EXE'
'PORTDETECTIVE.EXE'
'POPSCAN.EXE'
'POPROXY.EXE'
'POP3TRAP.EXE'
'PLATIN.EXE'
'PINGSCAN.EXE'
'PGMONITR.EXE'
'PFWADMIN.EXE'
'PF2.EXE'
'PERSWF.EXE'
'PERSFW.EXE'
'PERISCOPE.EXE'
'PENIS.EXE'
'PDSETUP.EXE'
'PCSCAN.EXE'
'PCFWALLICON.EXE'
'PCDSETUP.EXE'
'PCCWIN98.EXE'
'PCCWIN97.EXE'
'PCCNTMON.EXE'
'PCCIOMON.EXE'
'PAVW.EXE'
'PAVSCHED.EXE'
'PAVPROXY.EXE'
'PAVCL.EXE'
'PATCH.EXE'
'PANIXK.EXE'
'PADMIN.EXE'
'OUTPOSTPROINSTALL.EXE'
'OUTPOSTINSTALL.EXE'
'OTFIX.EXE'
'OSTRONET.EXE'
'OPTIMIZE.EXE'
'ONSRVR.EXE'
'OLLYDBG.EXE'
'NWTOOL16.EXE'
'NWSERVICE.EXE'
'NWINST4.EXE'
'NVSVC32.EXE'
'NVC95.EXE'
'NVARCH16.EXE'
'NUI.EXE'
'NTXconfig.EXE'
'NTVDM.EXE'
'NTRTSCAN.EXE'
'NT.EXE'
'NSUPDATE.EXE'
'NSTASK32.EXE'
'NSSYS32.EXE'
'NSCHED32.EXE'
'NPSSVC.EXE'
'NPSCHECK.EXE'
'NPROTECT.EXE'
'NPFMESSENGER.EXE'
'NPF40_TW_98_NT_ME_2K.EXE'
'NOTSTART.EXE'
'NORTON_INTERNET_SECU_3.0_407.EXE'
'NORMIST.EXE'
'NOD32.EXE'
'NMAIN.EXE'
'NISUM.EXE'
'NISSERV.EXE'
'NETUTILS.EXE'
'NETSTAT.EXE'
'NETSPYHUNTER-1.2.EXE'
'NETSCANPRO.EXE'
'NETMON.EXE'
'NETINFO.EXE'
'NETD32.EXE'
'NETARMOR.EXE'
'NEOWATCHLOG.EXE'
'NEOMONITOR.EXE'
'NDD32.EXE'
'NCINST4.EXE'
'NAVWNT.EXE'
'NAVW32.EXE'
'NAVSTUB.EXE'
'NAVNT.EXE'
'NAVLU32.EXE'
'NAVENGNAVEX15.NAVLU32.EXE'
'NAVDX.EXE'
'NAVAPW32.EXE'
'NAVAPSVC.EXE'
'NAVAP.NAVAPSVC.EXE'
'AUTO-PROTECT.NAV80TRY.EXE'
'NAV.EXE'
'OUTPOST.EXE'
'NUPGRADE.EXE'
'N32SCANW.EXE'
'MWATCH.EXE'
'MU0311AD.EXE'
'MSVXD.EXE'
'MSSYS.EXE'
'MSSMMC32.EXE'
'MSMSGRI32.EXE'
'MSMGT.EXE'
'MSLAUGH.EXE'
'MSINFO32.EXE'
'MSIEXEC16.EXE'
'MSDOS.EXE'
'MSDM.EXE'
'MSCONFIG.EXE'
'MSCMAN.EXE'
'MSCCN32.EXE'
'MSCACHE.EXE'
'MSBLAST.EXE'
'MSBB.EXE'
'MSAPP.EXE'
'MRFLUX.EXE'
'MPFTRAY.EXE'
'MPFSERVICE.EXE'
'MPFAGENT.EXE'
'MOSTAT.EXE'
'MOOLIVE.EXE'
'MONITOR.EXE'
'MMOD.EXE'
'MINILOG.EXE'
'MGUI.EXE'
'MGHTML.EXE'
'MGAVRTE.EXE'
'MGAVRTCL.EXE'
'MFWENG3.02D30.EXE'
'MFW2EN.EXE'
'MFIN32.EXE'
'MD.EXE'
'MCVSSHLD.EXE'
'MCVSRTE.EXE'
'MCTOOL.EXE'
'MCSHIELD.EXE'
'MCMNHDLR.EXE'
'MCAGENT.EXE'
'MAPISVC32.EXE'
'LUSPT.EXE'
'LUINIT.EXE'
'LUCOMSERVER.EXE'
'LUAU.EXE'
'LSETUP.EXE'
'LORDPE.EXE'
'LOOKOUT.EXE'
'LOCKDOWN2000.EXE'
'LOCKDOWN.EXE'
'LOCALNET.EXE'
'LOADER.EXE'
'LNETINFO.EXE'
'LDSCAN.EXE'
'LDPROMENU.EXE'
'LDPRO.EXE'
'LDNETMON.EXE'
'LAUNCHER.EXE'
'KILLPROCESSSETUP161.EXE'
'KERNEL32.EXE'
'KERIO-WRP-421-EN-WIN.EXE'
'KERIO-WRL-421-EN-WIN.EXE'
'KERIO-PF-213-EN-WIN.EXE'
'KEENVALUE.EXE'
'KAZZA.EXE'
'KAVPF.EXE'
'KAVPERS40ENG.EXE'
'KAVLITE40ENG.EXE'
'JEDI.EXE'
'JDBGMRG.EXE'
'JAMMER.EXE'
'ISTSVC.EXE'
'MCUPDATE.EXE'
'LUALL.EXE'
'ISRV95.EXE'
'ISASS.EXE'
'IRIS.EXE'
'IPARMOR.EXE'
'IOMON98.EXE'
'INTREN.EXE'
'INTDEL.EXE'
'INIT.EXE'
'INFWIN.EXE'
'INFUS.EXE'
'INETLNFO.EXE'
'IFW2000.EXE'
'IFACE.EXE'
'IEXPLORER.EXE'
'IEDRIVER.EXE'
'IEDLL.EXE'
'IDLE.EXE'
'ICSUPPNT.EXE'
'ICMON.EXE'
'ICLOADNT.EXE'
'ICLOAD95.EXE'
'IBMAVSP.EXE'
'IBMASN.EXE'
'IAMSTATS.EXE'
'IAMSERV.EXE'
'IAMAPP.EXE'
'HXIUL.EXE'
'HXDL.EXE'
'HWPE.EXE'
'HTPATCH.EXE'
'HTLOG.EXE'
'HOTPATCH.EXE'
'HOTACTIO.EXE'
'HBSRV.EXE'
'HBINST.EXE'
'HACKTRACERSETUP.EXE'
'GUARDDOG.EXE'
'GUARD.EXE'
'GMT.EXE'
'GENERICS.EXE'
'GBPOLL.EXE'
'GBMENU.EXE'
'GATOR.EXE'
'FSMB32.EXE'
'FSMA32.EXE'
'FSM32.EXE'
'FSGK32.EXE'
'FSAV95.EXE'
'FSAV530WTBYB.EXE'
'FSAV530STBYB.EXE'
'FSAV32.EXE'
'FSAV.EXE'
'FSAA.EXE'
'FRW.EXE'
'FPROT.EXE'
'FP-WIN_TRIAL.EXE'
'FP-WIN.EXE'
'FNRB32.EXE'
'FLOWPROTECTOR.EXE'
'FIREWALL.EXE'
'FINDVIRU.EXE'
'FIH32.EXE'
'FCH32.EXE'
'FAST.EXE'
'FAMEH32.EXE'
'F-STOPW.EXE'
'F-PROT95.EXE'
'F-PROT.EXE'
'F-AGNT95.EXE'
'EXPLORE.EXE'
'EXPERT.EXE'
'EXE.AVXW.EXE'
'EXANTIVIRUS-CNET.EXE'
'EVPN.EXE'
'ETRUSTCIPE.EXE'
'ETHEREAL.EXE'
'ESPWATCH.EXE'
'ESCANV95.EXE'
'ICSUPP95.EXE'
'ESCANHNT.EXE'
'ESCANH95.EXE'
'ESAFE.EXE'
'ENT.EXE'
'EMSW.EXE'
'EFPEADM.EXE'
'ECENGINE.EXE'
'DVP95_0.EXE'
'DVP95.EXE'
'DSSAGENT.EXE'
'DRWEBUPW.EXE'
'DRWEB32.EXE'
'DRWATSON.EXE'
'DPPS2.EXE'
'DPFSETUP.EXE'
'DPF.EXE'
'DOORS.EXE'
'DLLREG.EXE'
'DLLCACHE.EXE'
'DIVX.EXE'
'DEPUTY.EXE'
'DEFWATCH.EXE'
'DEFSCANGUI.EXE'
'DEFALERT.EXE'
'DCOMX.EXE'
'DATEMANAGER.EXE'
'Claw95.EXE'
'CWNTDWMO.EXE'
'CWNB181.EXE'
'CV.EXE'
'CTRL.EXE'
'CPFNT206.EXE'
'CPF9X206.EXE'
'CPD.EXE'
'CONNECTIONMONITOR.EXE'
'CMON016.EXE'
'CMGRDIAN.EXE'
'CMESYS.EXE'
'CMD32.EXE'
'CLICK.EXE'
'CLEANPC.EXE'
'CLEANER3.EXE'
'CLEANER.EXE'
'CLEAN.EXE'
'CFINET32.EXE'
'CFINET.EXE'
'CFIADMIN.EXE'
'CFGWIZ.EXE'
'CFD.EXE'
'CDP.EXE'
'CCPXYSVC.EXE'
'CCEVTMGR.EXE'
'CCAPP.EXE'
'BVT.EXE'
'BUNDLE.EXE'
'BS120.EXE'
'BRASIL.EXE'
'BPC.EXE'
'BORG2.EXE'
'BOOTWARN.EXE'
'BOOTCONF.EXE'
'BLSS.EXE'
'BLACKICE.EXE'
'BLACKD.EXE'
'BISP.EXE'
'BIPCPEVALSETUP.EXE'
'BIPCP.EXE'
'BIDSERVER.EXE'
'BIDEF.EXE'
'BELT.EXE'
'BEAGLE.EXE'
'BD_PROFESSIONAL.EXE'
'BARGAINS.EXE'
'BACKWEB.EXE'
'CLAW95CF.EXE'
'CFIAUDIT.EXE'
'AVXMONITORNT.EXE'
'AVXMONITOR9X.EXE'
'AVWUPSRV.EXE'
'AVWUPD.EXE'
'AVWINNT.EXE'
'AVWIN95.EXE'
'AVSYNMGR.EXE'
'AVSCHED32.EXE'
'AVPTC32.EXE'
'AVPM.EXE'
'AVPDOS32.EXE'
'AVPCC.EXE'
'AVP32.EXE'
'AVP.EXE'
'AVNT.EXE'
'AVLTMAIN.EXE'
'AVKWCTl9.EXE'
'AVKSERVICE.EXE'
'AVKSERV.EXE'
'AVKPOP.EXE'
'AVGW.EXE'
'AVGUARD.EXE'
'AVGSERV9.EXE'
'AVGSERV.EXE'
'AVGNT.EXE'
'AVGCTRL.EXE'
'AVGCC32.EXE'
'AVE32.EXE'
'AVCONSOL.EXE'
'AU.EXE'
'ATWATCH.EXE'
'ATRO55EN.EXE'
'ATGUARD.EXE'
'ATCON.EXE'
'ARR.EXE'
'APVXDWIN.EXE'
'APLICA32.EXE'
'APIMONITOR.EXE'
'ANTS.EXE'
'ANTIVIRUS.EXE'
'ANTI-TROJAN.EXE'
'AMON9X.EXE'
'ALOGSERV.EXE'
'ALEVIR.EXE'
'ALERTSVC.EXE'
'AGENTW.EXE'
'AGENTSVR.EXE'
'ADVXDWIN.EXE'
'ADAWARE.EXE'
'AVXQUAR.EXE'
'ACKWIN32.EXE'
'AVWUPD32.EXE'
'AVPUPD.EXE'
'AUTOUPDATE.EXE'
'AUTOTRACE.EXE'
'AUTODOWN.EXE'
'AUPDATE.EXE'
'ATUPDATER.EXE'
This worm will search for shared folders on the internet with weak passwords
and copy itself into them. A text file named HOSTS may also be dropped into
C:\<Windows System32>\drivers\etc which may contain a list of anti-virus
and other security related websites each bound to the IP loopback address of
127.0.0.1 which would effectively prevent access to these sites.
For example:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/Agobot-QF can sniff HTTP, ICMP, FTP, VULN and IRC network traffic and
steal data from them.
The following vulnerabilities can also be exploited to aid propagation on
unpatched systems and manipulate registry keys:
Remote Procedure Call (RPC) vulnerability
Distributed Component Object Model (DCOM) vulnerability
RPC Locator vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
For more information about these Windows vulnerabilities, please refer to
the following Microsoft Web pages:
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-026
W32/Agobot-QF can also polymorph on installation in order to evade detection
and share/delete the admin$, ipc$ etc drives.
It can also test the available bandwidth by attempting to GET or POST data
to the following websites:
'yahoo.co.jp'
'www.nifty.com'
'www.d1asia.com'
'www.st.lib.keio.ac.jp'
'www.lib.nthu.edu.tw'
'www.above.net'
'www.level3.com'
'nitro.ucsc.edu'
'www.burst.net'
'www.cogentco.com'
'www.rit.edu'
'www.nocster.com'
'www.verio.com'
'www.stanford.edu'
'www.xo.net'
'de.yahoo.com'
'www.belwue.de'
'www.switch.ch'
'www.1und1.de'
'verio.fr'
'www.utwente.nl'
'www.schlund.net'
W32/Agobot-QF can also be used to initiate denial-of-service (DoS) and
distributed denial-of-service (DDoS) synflood/httpflood/fraggle/smurf etc
attacks against
remote systems.
This worm can steal the Windows Product ID and keys from several computer
applications or games including:
AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
Industry Giant 2
IGI2: Covert Strike
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
NHL 2002
NHL 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
Ravenshield
Shogun Total War - Warlord Edition
Soldiers Of Anarchy
Soldier of Fortune II - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004
Windows Messenger
W32/Agobot-QF will delete all files named 'sound*.*' and the resident
process will be very difficult to terminate.
Recovery
Please follow the instructions for removing worms
This IDE file also includes detection for:
W32/Agobot-NI
http://www.sophos.com/virusinfo/analyses/w32agobotni.html
W32/Agobot-NJ
http://www.sophos.com/virusinfo/analyses/w32agobotnj.html
W32/Sdbot-BD
http://www.sophos.com/virusinfo/analyses/w32sdbotbd.html
Troj/Konodap-A
http://www.sophos.com/virusinfo/analyses/trojkonodapa.html
W32/Spybot-BX
http://www.sophos.com/virusinfo/analyses/w32spybotbx.html
W32/Agobot-EY
http://www.sophos.com/virusinfo/analyses/w32agobotey.html
Troj/IRCBot-W
http://www.sophos.com/virusinfo/analyses/trojircbotw.html
Troj/Dumaru-X
http://www.sophos.com/virusinfo/analyses/trojdumarux.html
Troj/Ranck-N
http://www.sophos.com/virusinfo/analyses/trojranckn.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/agobotqf.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] Sophos Anti-Virus IDE alert: W32/Agobot-QF
