Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Agent.AGNY
Date discovered:24/01/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:205.449 Bytes
MD5 checksum:0A834d4813f7b44024b2e68d20957aee
IVDF version:7.00.02.41 - Thursday, January 24, 2008

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Autorun.worm.g
   •  Kaspersky: Trojan-Downloader.Win32.Agent.hzy
   •  F-Secure: Trojan-Downloader.Win32.Agent.hzy
   •  Eset: Win32/AutoRun.HL
   •  Bitdefender: Trojan.Agent.AGNY


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Lowers security settings

 Files It copies itself to the following locations:
   • c:\windows\system\lsass.exe
   • %recycle bin%\Recycler\AutoLaunch.exe
   • %TEMPDIR%\services.exe



It creates the following directory:
   • %TEMPDIR%\WinSecurityUpd



The following files are created:

– drive:\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\WinSecurityUpd\ms_auto This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\WinSecurityUpd\ms_drvlst This is a non malicious text file with the following content:
   • ABCDEFGHIJKLMNOPQRSTUVWXYZ

%TEMPDIR%\WinSecurityUpd\udpate~1.tmp This is a non malicious text file with the following content:
   • file

%TEMPDIR%\csrss.bat This is a non malicious text file with the following content:
   • %TEMPDIR%\csrss.bat

%TEMPDIR%\ltmpp.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%TEMPDIR%\lsassexe.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to executes the following files:

– Filename:
   • %SYSDIR%\netsh.exe
using the following command line arguments: firewall set opmode disable


– Filename:
   • %SYSDIR%\cmd.exe
using the following command line arguments: /c if exist %TEMPDIR%\csrss.bat call %TEMPDIR%\csrss.bat


– Filename:
   • %SYSDIR%\ping.exe
using the following command line arguments: google.com > %TEMPDIR%\ping2.log

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Beschrijving ingevoegd door Andrei Gherman op donderdag 19 juni 2008
Beschrijving bijgewerkt door Andrei Gherman op donderdag 19 juni 2008

Terug . . . .
https:// Dit venster is voor uw veiligheid gecodeerd.