|Place of Origin||Waldshut, Baden-Württemberg, Germany|
Agobot, also known as Gaobot is an IRC bot with over a thousand variants, making it the most popular malware program in terms of variants. It can not be considered a true worm, as it does not replicate without commands from the operator.
Gaobot arrives on a computer through an IRC server using its own IRC client. It uses several Remote Procedure Call vulnerabilities to run on an infected computer. When Gaobot is executed, it copies itself to the Windows System folder under a file name that may vary. It then sets one or more registry keys to the name of the file so the worm will run when Windows starts.
Gaobot attempts to terminate the processes of antivirus and firewall software, as well as the process names associated with other worms. It also queries the registry to steal the CD keys of various games. Recent Gaobot variants may add entries to the %System%\drivers\etc\hosts file to disable access to certain antivirus Web sites.
The creator of Agobot was arrested on the same day as Sven Jaschan of Sasser worm fame on 2004.05.07. The arrests were coordinated, but the two cases were found to be unrelated.
A researcher at Pandasoft studying a variant of the Gaobot worm (Gaobot.AAF) made a graphical representation of Gaobot's functions, which ended up looking similar to the Star Wars Death Star.
Infectionvectors.com, Agobot and the "Kit" -chen sink. 2004.07
Brian Krebs. The Washington Post, Hackers Embrace P2P Concept. 2004.03.17
Joe Stewart. Secure Works, Phatbot Trojan Analysis 2004.03.15
Sophos Press Office. German police feared Agobot suspect would abscond, Sophos reports on latest developments in malware case. 2004.05.14
Paul Roberts. InfoWorld, Agobot Trojan author released in Germany. 2004.05.14
Paul Roberts. PCWorld, German Police Snag Phatbot Author. 2004.05.10
Luis Corrons. PandaLabs Blog, Death Star 2006.10.23
Heather Shannon. Symantec Security Response, W32.HLLW.Gaobot.gen.