How to delete Backdoor.Agobot - Removal tool, fix instructions

Name: Backdoor.Agobot

Aliases: Backdoor.Agobot.3.Gen, Win32.P2P.Spybot.Gen, Backdoor.SDBot.Gen

Type: Executable Backdoor Worm

Size: Depends on variant

First appeared on: 01.10.2003

Damage: Medium

Brief Description: This is a classical backdoor and allows a 'master' to control the victim machine remotely by sending commnads via IRC channels.

Agobot copies itself into the Windows directory under random names and then registers itself in the system registry auto-run keys:

  • [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
  • [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices]

Visible Symptoms:
The symptoms vary with each variant:

  • suspect running process(es) - the name of the executable varies
  • suspect registry keys, usually it's an entry in
    [HKLMSoftwareMicrosoftWindowsCurrent VersionRun]
  • unusual internet traffic
  • unusual TCP/UDP open ports listed by "netstat -a" command
  • unusual computer behaviour

Technical description:
First, what is an IRC Bot?

An IRC bot is a program that stays in an IRC channel, keeping it open 24 hours a day,
looking like a normal user but just waiting for specific commands to be issued to it.
Normally, they are NOT malicious and were developed to help maintain an IRC channel or
an IRC Community. Those IRC Bots are operaded by Channel Operators and they are safe.

Now, all three families:

  • Backdoor.SDBot
  • Backdoor.Agobot.3
  • Win32.P2P.Spybot

are Irc Bots based on the same "evil" IRC Bot source.

Once the Bot has been run on the victim's computer, the virus will do:

  • attempts to terminate various antivirus/security applications
  • create and hide a copy of itself on another location (usually inside Windows folder, and inside P2P shared folders)
  • create a registry key that will start the Bot each time at Windows start.
  • connect to a predefined irc server and join a specific channel. There, it waits for commands to be issued by an attacker.

Using these Bots, an attacker could do:

  • Using the victim's computer:
    • using multiple infected computers, perform a Ddos attack on a specific IP address/website.
    • perform various types of flood on a target IP address
    • attack other computers or a website using specific exploits/vulnerabilities (RPC/DCOM, RPC/Locator, WebDAV, etc)
    • scan/search for other vulnerable hosts and attempt to install itself on them
  • On the victim's computer:
    • change bot internal parameters, update the bot with a newer version, etc
    • use the host as a TCP proxy (as a send-through)
    • redirect HTTP traffic
    • steal CD keys from various applications/games
    • steal personal information, paswwords, etc
    • display/change various information
    • download and upload files
    • delete/modify files
    • execute programs
    • terminate processes
      reboot, shutdown the computer
  • and much more, depending on what has been added to the original source.

Each newer version operates on the same ground as the old ones, but it also new code is added to make the Bot more powerfull and more hard to detect.

Propagation: -

Removal tool and instruction:
Once an infected file has been identified, the process should be terminated, the registry key removed and the file deleted.

<? include("/templates/av-links.txt"); ?>