Troj/Progent-AF

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	22 April 2007 21:08:27 (GMT)
Last updated	30 May 2007 10:01:13 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Progent-AF is a Trojan for the Windows platform.

Troj/Progent-AF runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

Troj/Progent-AF includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Progent-AF runs it may try and install potentially unwanted applications.

When Troj/Progent-AF is installed the following files are created:

<System>\ldkgl\128.reg
<System>\ldkgl\d.dll
<System>\ldkgl\g.exe
<System>\ldkgl\ksomk
<System>\ldkgl\l4m1.bmp
<System>\ldkgl\l4m2.bmp
<System>\ldkgl\l4m3.bmp
<System>\ldkgl\l4m3r.exe
<System>\ldkgl\l4m4.bmp
<System>\ldkgl\l4m5.bmp
<System>\ldkgl\l4m6.bmp
<System>\ldkgl\l4m7.bmp
<System>\ldkgl\l4m8.bmp
<System>\ldkgl\l4m9.bmp
<System>\ldkgl\lam1.exe
<System>\ldkgl\lam2.exe
<System>\ldkgl\lam3.exe (detected as HideWindow)
<System>\ldkgl\lam4.exe (detected as HideWindow)
<System>\ldkgl\lam5.exe (detected as NirPassView)
<System>\ldkgl\mirc.ini
<System>\ldkgl\msn.dll
<System>\ldkgl\nm
<System>\ldkgl\ournik
<System>\ldkgl\poiyu
<System>\ldkgl\systemac.dll
<System>\ldkgl\u

The files l4m3r.exe, systemac.dll and d.dll are components of an official mIRC client for the Windows platform. The file lam1.exe is a clean application.

The files ksomk, nm, ournik, poiyu, and u are clean text files and can safely be deleted.
The file g.exe is a clean datafile and can safely be deleted.

The files l4m[1-9].bmp are detected as Troj/Progent-AF.

The following registry entry is created to run l4m3r.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msennger
<System>\ldkgl\l4m3r.exe

The following registry entries are set or modified, so that l4m3r.exe is run when files with extensions of CHA and IRC are opened/launched:

HKCR\ChatFile\Shell\open\command
(default)
<System>\ldkgl\l4m3r.exe" -noconnect

HKCR\irc\Shell\open\command
(default)
<System>\ldkgl\l4m3r.exe" -noconnect

Registry entries are set as follows:

HKCR\ChatFile\DefaultIcon
(default)
<System>\ldkgl\l4m3r.exe

HKCR\irc\DefaultIcon
(default)
<System>\ldkgl\l4m3r.exe

Registry entries are created under:

HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\mIRC\DateUsed
HKCR\irc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Progent-AF

Summary

Action

More Information