From; Sophos Alert System: Name: W32/Agobot-QT Aliases: W32/Agobot.CVS, Win32.Agobot.xs Type: Win32 worm Date: 9 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Agobot-QT can be found at: http://www.sophos.com/virusinfo/analyses/w32agobotqt.html W32/Agobot-QT is a worm with backdoor Trojan functionality. W32/Agobot-QT connects to an IRC channel and listens for backdoor commands from a remote attacker. The worm may also spread to network shares with weak passwords or by DCC. W32/Agobot-QT contains backdoor functionality including the ability to do any of the following: - participate in denial of service attacks - download updates and other files - list, create and terminate processes and services - provide a remote command shell - log keypresses - delete files - delete network shares - make registry changes - steal system information - send files by DCC - exploit vulnerabilities - monitor network traffic W32/Agobot-QT also modifies the system HOSTS file in order to prevent access to the following web addresses: avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com www.avp.com www.ca.com www.f-secure.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com When first run W32/Agobot-QT copies itself to the Windows system folder as SUPER.EXE and creates the following registry entries in order to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run super super.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices super super.exe This IDE file also includes detection for: Troj/Nethief-K http://www.sophos.com/virusinfo/analyses/trojnethiefk.html Troj/Istbar-AQ http://www.sophos.com/virusinfo/analyses/trojistbaraq.html Troj/Agent-CK http://www.sophos.com/virusinfo/analyses/trojagentck.html W32/Rbot-XJ http://www.sophos.com/virusinfo/analyses/w32rbotxj.html W32/Traxg-D http://www.sophos.com/virusinfo/analyses/w32traxgd.html Troj/LowZone-S http://www.sophos.com/virusinfo/analyses/trojlowzones.html Download the IDE file from: http://www.sophos.com/downloads/ide/agobotqt.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member