Troj/Agent-FWO is a Trojan for the Windows platform.
When run Troj/Agent-FWO starts and run a Flash animation clip. At the same time, Troj/Agent-FWO also creates the file <Temp>\ixp000.tmp\fs.exe and run it. This is a Shockwave Animation file and can be safely removed.
Troj/Agent-FWO may drop any of the following files:
<System>\nvfw96 - can be safely removed
<System>\nvfw96.exe - also detected as Troj/Agent-FWO
<System>\div52x - can be safely removed
<System>\div52.exe - also detected as Troj/Agent-FWO
Troj/Agent-FWO includes functionality to:
- contact a remote website and send information
- inject code into system processes
The following registry entries are created to run Troj/Agent-FWO on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
(076200C7-8302-FDAA-0404-070602000300)
StubPath
<System>\nvfw96.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
(1871276A-3AE9-E43D-0400-000505000107)
StubPath
<System>\div52x.exe
Registry entries may also be created under:
HKCR\http\shell\open\command\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\