Win32/IRCBot [Threat Name] go to Threat

Win32/IRCBot.AGP [Threat Variant Name]

Category trojan
Size 64000 B
Aliases Backdoor.Win32.IRCBot.fnn (Kaspersky)
  MultiDropper-RY (McAfee)
  Trojan.Injector.AF (BitDefender)
Short description

Win32/IRCBot.AGP is an IRC controlled backdoor .


When executed, the backdoor copies itself into the %windir% folder using the following name:

  • winrofl32.exe (64000 B)

In order to be executed on every system start, the backdoor sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows UDP Control Center" = "winrofl32.exe"

The backdoor displays a fake error message:

Spreading via IM networks

The backdoor sends links to AIM (AOL Instant Messenger), AOL Triton, MSN Messenger users.

If the link is clicked a copy of the backdoor is downloaded.

Other information

Win32/IRCBot.AGP is an IRC controlled backdoor .

The backdoor acquires data and commands from a remote computer or the Internet.

The backdoor connects to the following address:


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • update itself to a newer version
  • spread via IM networks

The backdoor may create copies of itself using the following filenames:

  • %windir%\­winrofl32.exe_ (64000 B)

Please enable Javascript to ensure correct displaying of this content and refresh this page.