New variants of a virus known as agobot (also known as gaobot, phatbot, or polybot) are spreading to computers on campus. Affected I.T. departments have already been notified, however many of the infected systems are personal laptops or other systems which are owner managed - this is a general warning regarding the activity and how to prevent and/or remove infections. The virus is sophisticated and will do the following after it has infected a computer: 1) attempts to terminate any existing anti-virus software 2) modify system so it cannot access certain websites, including preventing anti-virus signature updates 3) opens a backdoor so it can be remotely controlled or allow others access to the system and data 4) captures usernames and passwords typed into the system 5) connects to an external IRC server to await remote commands 6) attempts to copy itself to any available network shares including Novell drive mappings. 7) scans the network for other systems to infect The network scanning is causing disruption of I.T. services in some areas. Infected systems may become unresponsive or unusually slow. PREVENTION Following the three steps in the windows security checklist here will prevent infection: http://infosec.yorku.ca/FAQ/windows_security_3step.html 1) Choosing strong passwords 2) Using automatic security patches 3) Using automatic anti-virus updates ***In particular, using strong passwords for accounts is essential*** In addition to user accounts, Windows NT, 2000, XP and 2003 all have a *local* "Administrator" account by default - this account must have a strong password - many of the infected systems have been compromised via a weak password on this account. This is IN ADDITION to any domain/tree-level Administrator accounts. DETECTION As previously mentioned, unusually slow response from the computer is a potential indication that the computer is infected. Also, if you cannot access anti-virus vendor web sites such as "www.nai.com" or "us.mcafee.com". REMOVAL As there are many variants, the exact removal procedure is subject to change. Please contact your local technical support group for assistance. -- Chris Russel Manager, CNS Information Security York University, Toronto, Canada [log in to unmask]