Incorrect!
Aliases
Backdoor.Agobot.iz, W32/Gaobot.worm.gen.d
Type
Win32 worm
Detection
A virus identity (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus.
Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update.
At the time of writing, Sophos has received just one report of this worm from the wild.
Description
W32/Agobot-FJ is an IRC backdoor Trojan and peer-to-peer (P2P) worm which opens TCP ports to listen for and process commands received from a remote intruder.
This worm will move itself into the Windows System32 folder under the filename WINII.EXE and create the following registry entries so that it can execute automatically on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\
Video Poes = winii.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Services\
Video Poes = winii.exe
The following registry entries will also be created:
HKLM\System\CurrentControlSet\Services\Video Poes\
HKLM\System\CurrentControlSet\Enum\Root\Legacy_Vid
eo_Poes\
W32/Agobot-FJ will attempt to terminate anti-virus and software firewall processes, in addition to other viruses, worms or Trojans.
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Change any data that may have become compromised.
Renaming the registry editor
Using Windows explorer, browse to the Windows folder (usually C
Windows or C
Winnt) right-click Regedit.exe and make a copy of it.
Rename the copy of Regedit.exe to Regedit.com.
At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\
Video Poes = winii.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Services\
Video Poes = winii.exe
and delete them if they exist.
Close the registry editor.