W32/Agobot.fam!worm!00

description-logoAnalysis

  • Virus is 32-bit, and commonly is packed with a file compressor -- the size varies but is usually more than 55,000 bytes
  • Viirus will usually load at Windows startup due to a registry modification
  • Virus will commonly connect with a hard-coded IRC server and await instructions from a malicious user -- instructions could include any of the following --

    * visit web sites
    * download and execute binaries
    * scan a network for systems to compromise using RPC DCOM buffer overflow techniques
    * act as an FTP server for storing files

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry