Trojan-Proxy.Win32.Agent.is
| Alert Level : | Medium |
| Discovered: | Mar 25 2006 |
| Tag: | Trojan-Proxy-Servers |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This Trojan program enables a remote malicious user to use the victim machine as a proxy server. The Trojan itself is a Windows PE EXE file 172528 bytes in size, written in Visual C .
InstallationOnce launched, the Trojan registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Anti-Virus Update Scheduler V1.39.12R"=<path to Trojan program> Payload
Once launched, the Trojan opens a TCP port chosen at random, and sends an http request with the port and version number to:
http://prox***.be/file/enter.php
This enables a remote malicious user to appear to be working from the victim machine.
Removal Trojan-Proxy.Win32.Agent.is instructions:
- In Task Manager, terminate the Trojan process. It will have one
of the following names:
sfx.exe AVUPSCHED13912R.exe
- Delete the original Trojan file. The location of this file will
depend on the way in which the Trojan penetrated the victim machine. The file
will have one of the following names:
sfx.exe AVUPSCHED13912R.exe
- Delete the following values from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!
