Need help? Ask the community or hire an expert.
Go to Avira Answers
Size:97.280 Bytes 
VDF Version: 

General DescriptionAffected Platforms
* Windows 95
* Windows 98
* Windows ME
* Windows NT
* Windows 2000
* Windows XP
* Windows Server 2003

Symptoms- opens TCP port 6666

Technical DetailsIf the trojan "TR/Agent.P.2" is executed, it creates the following files:
\%Sysdir%\fkd8df6s.lnk (505 Bytes)
\%Sysdir%\lizenz.txt (6.727 Bytes)
\%Sysdir%\pdata (335 Bytes)
\%Sysdir%\lddata (4 Bytes)
\%Sysdir%\ddata (57.921 Bytes)

It also operates the following modifications in the Windows Registry:
- New Entries
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run]



- Changed Entries:
[HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main]
"Search Page"=""
"Use Custom Search URL"=dword:00000001
"Search Bar"=""

The virus "TR/Agent.P.2" displays a window with a License Agreement (EULA). If this is not validated, the programs stops its execution:

The trojan generates a mutex named "UNIQUENAMEHERE".

It calls an URL and receives delievered data, which then creates the following files:

TR/Agent.P.2 opens TCP Port 6666 and generates a ICMP request to all IP adresses im the range -

It also creates a WOHIS query to the following servers and asks for the domain names in the file "ddata ":


The file "fkd8df6s.lnk" is a link, which the trojan calls with a parameter:
"C:\WINDOWS\system\k.exe /uninstall"

The trojan removes all the created files and copies itself in the Windows directory with the name "removeme.exe".
설명 삽입자 Crony Walker   2004년 6월 15일 화요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.