Troj/Agent-CL

Aliases	Trojan-Dropper.Win32.Small.nn
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	16 March 2005 08:56:10 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Troj/Agent-CL is a Windows downloader Trojan.

When run Troj/Agent-CL drops the DLL file ntosv.dll to the Windows System folder.

The Trojan the sets the following registry entries so as to run during computer logon:

HKCR\CLSID\(23456789-0000-0020-0900-00AAFF6D2EA4)\InProcServer32
Default
%SYSTEM%\ntosv.dll

HKCR\CLSID\(23456789-0000-0020-0900-00AAFF6D2EA4)\InProcServer32
ThreadingModel
Apartment

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
(23456789-0000-0020-0900-00AAFF6D2EA4)
Sysctl Desktop Handler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Sysctl Desktop Handler
(23456789-0000-0020-0900-00AAFF6D2EA4)

Troj/Agent-CL then silently downloads executables or DLLs without notification from a fixed website and runs or loads them.

Get reports about the latest virus and spyware threats delivered to your computer