Troj/Agent-GE

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	13 December 2004 14:22:12 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Agent-GE is a backdoor Trojan for the Windows platform.

The Trojan drops the file ws0ck32.dll into the Windows system folder and registers it as a replacement for the Winsock library by modifying the PackedCatalogItem value in all registry keys below:

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
Catalog_Entries\.

After dropping the file, Troj/Agent-GE attempts to connect to http://www.google.org.

The Trojan adds registry entries below:

HKLM\SYSTEM\ControlSet001\Services\Winsock\Security\

that it uses to pass configuration information on to the dropped DLL file.

The ws0ck32.dll component intercepts network traffic and provides backdoor functionality, allowing a malicious user to remotely list running processes and files, up- and download files and execute arbitrary commands on a compromised system.

Troj/Agent-GE may also drop the harmless file svchost.bat into the Windows system folder.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

Troj/Agent-GE

Summary

Action

More Information