Aliases: Gaobot, Nortonbot, Phatbot, Polybot.
This is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised computer.
This worm will move itself into the Windows system folder as RUNDLL.EXE or WIN.EXE.
Create the values:
RegistryConfig = rundll.exe
Windows32 = win.exe
in the following registry keys:
May also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine
with itself included as an executable attachment.
May attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans.
May also be used to terminate some services on remote computers.
It may search for shared folders on the internet with weak passwords and copy itself into them.
A text file named HOSTS in C:\\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.
For example: 127.0.0.1 www.symantec.com
W32/Agobot-KN can sniff HTTP, ICMP, FTP and IRC network traffic and steal data from them.
Can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems.
This worm can steal the Windows Product ID and keys from several computer applications or games.
W32/Agobot-KN will delete all files named 'sound*.*'.