Description: Added to the system as a result of the W32/Agobot-S virus that is an IRC backdoor Trojan and network worm. W32/Agobot-S copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM Rcomputer and the Rcomputer locator vulnerabilities. Svchost.exe is a trojan horse application that uses http protocol to transfer information and files to internet. The program is controlled via a cgi-script which the program calls periodically for instructions. It is installed in the victim machine using a 3rd party application, it includes no spreading mechanism. The program might be some version of Backdoor.Dewin (Symantec) PWS-DafDaf.a (NAI). NAI also mentions that this (possibly) variant is a "password stealer", but I didn't see any usual method for password stealing in the code. It is possible, however to plant 3rd party programs on infected computer remotely. F-Secure AV identifies it as Backdoor.Dewin.k.

The good guy is svchost.exe - "svc" instead of "scv". Read more about svchost.exe.

Post your comment

Mail this page