Troj/Agent-AU is a Trojan designed to disable firewall applications.
When first run, Troj/Agent-AU will copy itself to the Windows system folder and create the following registry entry to run the Trojan each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
spoolsvr32
<Windows system folder>\csmss.exe
Troj/Agent-AU will drop a DLL file named WINACPI.DLL and create various registry entries under the following:
HKCU\Software\mzs\csmss\mzu\
HKCR\*\shellex\ContextMenuHandlers\sysacpildap\
HKCR\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\
HKCR\Interface\{5E2121ED-0300-11D4-8D3B-444553540000}\
HKCR\acpi.acpi.1\
HKCR\acpi.ext\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
Troj/Agent-AU will attempt to disable the following applications:
Agnitum Outpost Firewall
Kaspersky Anti-Hacker
Kerio Personal Firewall 4
McAfee Personal Firewall
Norton Internet Security Professional
Tiny Firewall Pro
Zone Labs ZoneAlarm
The Trojan will attempt to report successful infection of a computer by connecting to a specific website.