Sophos

Troj/Agent-DO

Aliases
  • Vundo
  • trojan
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 28 April 2005 19:07:14 (GMT)
Last updated 27 May 2005 09:14:44 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing Trojans.

Windows 2000

You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.

  • At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
  • Before you edit the registry, you should make a backup. Select the 'HKEY_LOCAL_MACHINE on local machine' window. Select 'HKEY_LOCAL_MACHINE'. On the 'Registry' menu, click 'Save Subtree As'. Save the registry subtree as HKLMBackup. Select 'HKEY_CLASSES_ROOT' and save that subtree as HKCRBackup.
  • Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<name.dll>, where <name.dll> is the name of a file reported as a Trojan file
  • Select \<name.dll>
  • On the Security menu select 'Permissions'
  • In 'Permissions for...' deselect 'Allow inheritable permissions from parent to propagate to this object'
  • In the Security dialog, click 'Remove'
  • Click 'OK'
  • Click 'Yes' to deny everyone access to the key
  • Close the registry editor.

Follow the Safe Mode with Command Prompt instructions for removing Trojans.

Re-open the registry editor to delete the Trojan registry entries.

  • At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
  • Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • Select \<name.dll>
  • On the Security menu select 'Permissions'
  • In 'Permissions for...' select 'Allow inheritable permissions from parent to propagate to this object'
  • Click 'OK'
  • On the Edit menu select 'Delete'
  • Click 'Yes' to delete the key
  • Locate the HKEY_CLASSES_ROOT entry: HKCR\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\InProcServer32\<name.dll>
  • On the Edit menu select 'Delete'
  • Click 'Yes' to delete the key
  • Close the registry editor.

Windows XP/2003

You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.

  • At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
  • Before you edit the registry, you should make a backup. Select 'My Computer'. On the 'File' menu, click 'Export'. Save your registry as Backup.
  • Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • Right-click '<name.dll>', where <name.dll> is the name of a file reported as a Trojan file'
  • Select 'Permissions'
  • In the 'Permissions for...' dialog, click 'Advanced'
  • In the 'Advanced Security Settings for...' dialog, deselect 'Inherit from parent the permission entries that apply to child objects.'
  • In the Security dialog, click 'Remove'
  • Click 'OK'
  • Click 'Yes' to deny everyone access to the key
  • Click 'OK'
  • Close the registry editor.

Follow the Safe Mode with Command Prompt instructions for removing Trojans.

Re-open the registry editor to delete the Trojan registry entries.

  • At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
  • Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  • Right-click '<Trojan_entry>'
  • Select 'Permissions'
  • In the 'Permissions for...' dialog, click 'Advanced'
  • In the 'Advanced Security Settings for...' dialog, select 'Inherit from parent the permission entries that apply to child objects.'
  • Click 'OK' twice
  • Right-click '<name.dll>'
  • Select 'Delete'
  • Click 'Yes' to delete the key
  • Locate the HKEY_CLASSES_ROOT entry: HKCR\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\InProcServer32\<name.dll>
  • Right-click '<name.dll>'
  • Select 'Delete'
  • Click 'Yes' to delete the key
  • Close the registry editor.

More Information

Troj/Agent-DO is a Trojan related to advertising.

Troj/Agent-DO is a DLL file that is installed as a Browser Helper Object with the following corresponding registry entry:

HKCR\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\InProcServer32\
<name.dll>

(where <name> is the basename of the Trojan DLL).

In order to be able to run automatically when Windows starts up Troj/Agent-DO sets a number of registry entries including following:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<name>
<name.dll>

The Trojan creates the following files in the folder in which it is run

<reversename>.temp
<reversename>.bak
<reversename>.ini2

(where <reversename> is the basename of the main Trojan files, reversed).

Troj/Agent-DO monitors browser activity, encrypts the resulting information and
stores it in the above files. They are harmless and may be deleted.

Troj/Agent-DO periodically sends information about the infected computer via an
HTTP POST submission. The returned data may be used to display advertisements.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer