W32/Agobot.fam!worm!00
Analysis
- Virus is 32-bit, and commonly is packed with a file compressor -- the size varies but is usually more than 55,000 bytes
- Viirus will usually load at Windows startup due to a registry modification
- Virus will commonly connect with a hard-coded IRC server and await instructions from a malicious user -- instructions could include any of the following --
* visit web sites
* download and execute binaries
* scan a network for systems to compromise using RPC DCOM buffer overflow techniques
* act as an FTP server for storing files
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option