Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.
Technical details
New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family are Phatbot and Forbot. Agobot now has several thousand variants. The majority of the development force behind Agobot is targeting the Microsoft Windows platform; as a result the vast majority of the variants are not Linux compatible. In fact the majority of modern Agobot strains must be built with Visual Studio due to its reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size from ~12kbyte to ~500kbyte depending on features, compiler optimizations and binary modifications. A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants. Most Agobots have the following features:
Attempts to hijack common Trojan horses that accept incoming connections via an open port.
The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft's Server Message Block
Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code. Names and such can be added via the XML files to produce variable shuffle imports.
Variants
Gaobot.ee
Gaobot.ee is a variant of Agobot. It is also known as the W32.HLLW.Gaobot.EE. It is a malicious computer worm that tends to come from the P2P networkAres, installing from its virus form, Ares.exe. It has rather odd characteristics for a virus, with the unique ability to download and install random files from its members, such as music, pornography, and even full games. Gaobot.ee is a worm that sends large numbers of unsolicited e-mails using its own SMTP engine. This worm also opens a backdoor on a random TCP port, notifies attackers through a predetermined IRC channel, and attempts to terminate various security products and system monitoring tools. Its security level is low, hardly doing any damage to a computer. However, it has been reported to download and install spyware, more viruses, trojans, and worms, although this is not as yet officially been proven.