Avast didn't pick up this new (?) Agobot variant -- sorry if this isn't correct procedure, but I couldn't get an actual mail address to send the report to.
Originally winnt\system32\systems.exe. IRC is not a possibility for infection, nor is mail; file was likely implanted and executed through RPC vulnerability (fresh install was online without firewall for two hours and picked up this along with blaster -- yikes). On first run, created registry items "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Loader=systems.exe" and "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System Loader=systems.exe." The specimen tried to phone to something along the lines of AtHerSite.com yesterday, got suspicious when I looked it up in a file browser and found that it didn't have the same version information as the executables put out by Microsoft -- it didn't, in fact, have a version tab at all in its Properties window. Attempting to terminate the process resulted in Access Denied. Malware blocks execution of registry editors, forcing their termination every few seconds. The executable also does the same with Microsoft RPC vulnerability patches. Was cured by a simple reboot into safe mode with command prompt and renaming of the file, though the registry entries were removed just in case.
