Troj/Agent-CO

Aliases	TrojanDownloader.Win32.Agent.co
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	October 2004 (3.86)
Protection available since	2 September 2004 08:07:28 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Agent-CO is a Trojan designed to disable firewall applications.

Troj/Agent-CO will attempt to contact a number of URLS in order to report that the infected computer has been compromised.

When first run, Troj/Agent-CO will copy itself as CSMSS.EXE to the Windows System folder. In order to run automatically each time Windows is started, the Trojan will set the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
cmssSystemProcess = <SYSTEM>\csmss.exe

Troj/Agent-CO will drop a DLL file named MSCDMSS.DLL to the Windows System
folder. In order to run this DLL file automatically each time Windows is started, the Trojan may create the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\mallocator\DllName = mscdmss.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
mallocator\Startup = Mallocator

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\mallocator\
DllName = mscdmss.dll

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\mallocator\
Startup = Mallocator

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\mallocator\
StackSize = 0

The DLL monitors the autostart registry entries and will regenerate them if they are deleted. The DLL will also attempt to hide the EXE process from Task Manager.

Troj/Agent-CO will terminate a number of personal firewall processes, including:

kpf4ss.exe
NPROTECT.EXE
kpf4gui.exe
ZAPRO.EXE
amon.exe
MpfService.exe
zonealarm.exe
outpost.exe
firewall.exe

Troj/Agent-CO may attempt to corrupt a number of DLL files associated with personal firewalls, including:

C:\Program Files\Zone Labs\ZoneAlarm\vsruledb.dll
C:\Program Files\Norton Internet Security Professional\FRERules.dll
C:\Program Files\Kerio\Personal Firewall 4\kfe.dll
C:\Program Files\McAfee.com\Personal Firewall\MpfUi.Dll
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\perfiloc.dll
C:\Program Files\McAfee.com\Personal Firewall\Localized.DLL
C:\Program Files\Tiny Firewall Pro\SnortImp.dll
C:\Program Files\Agnitum\Outpost Firewall\Engine.dll

Troj/Agent-CO will attempt to bypass the Windows XP Firewall by adding itself to the list of authorised programs. The following registry entry will be created:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<path to Trojan> = <path to Trojan>:*:Enabled:csmss

Troj/Agent-CO will create the following registry branch to contain configuration information:

HKCU\Software\mzs\csmss\mzu

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Agent-CO

Summary

Action

More Information