Malware type: Worm

Aliases: W32.HLLW.Gaobot(Symantec), Mal/TinyDL-T(Sophos), PAK:PE_Patch.Upolyx(Kaspersky), TR/Proxy.Gen(Avira), W32/Gaobot.worm.gen.d(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This is Trend Micro's detection for future and existing variants of the AGOBOT worm. The AGOBOT family of worms propagate via peer-to-peer file-sharing applications, such as Kazaa, Grokster, and Bear Share, and via network shared drives.

The AGOBOT worm connects to an Internet Relay Chat (IRC) server and acts as a bot program, allowing remote users to manipulate infected machines and launch a denial of service (DoS) attack against other IRC users. This worm may also act as a backdoor server and allow remote users to access and manipulate infected systems directly using a corresponing client application.

Some variants steal CD keys of games and terminates security-related process. Also, it exploits certain vulnerabilities to perform some of its routines.

As of this writing, there are two existing AGOBOT worm construction patterns, as follows:

• FORMAT 1
• FORMAT 2

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul. 17, 2003 4:32:36 AM GMT -0800
Description updated: May. 21, 2004 7:03:28 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.