Realplayd.exe = new AGOBOT variant?

I have been getting alerts on our network that DOS_AGOBOT.GEN has
infected some machines - unfortunately our TrendMicro OfficeScan does
not detect the actual EXE that is doing the job, but only detects the
crap that the worm appends to the users HOSTS file (redirecting
anti-virus sites to localhost, etc.)...

The culprit: "realplayd.exe" is about 100k (standard for AGOBOT
varaints i think), it puts itself into the 'system32' folder as well
as the root of the 'winnt' folder, usually it CAN be killed and then
editied OUT of the registry so I won't run again, but all I can see
damaged is the HOSTS file, has anyone else seen this variant yet?

If it is just a standard re-implementation of one of the AGOBOTs, what
else should I be doing (besides patching that is)?