Troj/Agent-ENG is a Trojan for the Windows platform.
When first run Troj/Agent-ENG copies itself to <System>\qttask.exe and creates the following files:
<System>\odbcct32.dll - detected as Troj/Agent-ENG
<System>\mpd.dll - detected as Troj/Agent-ENG
<System>\perfc053.dat - detected as Troj/Agent-ENG
<System>\perfh062.dat - detected as Troj/Agent-EJW
Troj/Agent-ENG also creates the following non-malicious files:
<System>\AcroIEObject.dll
<System>\drivers\npf.sys
<Windows>\~ipcfg211
<Windows>\~res416
<Windows>\~start127
<Windows>\~tmp312
<Windows>\~view441
<Windows>\kb899583.log
The file <System>\AcroIEObject.dll creates registry entries under:
HKCR\AcroIEObject.AcroIEObj.1\
HKCR\AcroIEObject.AcroIEObj\
HKCR\AppID\AcroIEObject.DLL\
The following registry entry is created to run qttask.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime
<System>\qttask.exe
The following registry entries are created to run code exported by odbcct32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termserv
DLLName
odbcct32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termserv
Impersonate
0
The non-malicious file npf.sys is registered as a new system driver service named "NPF", with a display name of "Netgroup Packet Filter". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\NPF\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\
The non-malicious file nm.sys is registered as a new system driver service named "NM", with a display name of "Network Monitor Driver". Registry entries are created under:
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM\
Additional registry entries may also be created under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FTPDefault\