high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 20 May 2005 20:30:22 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Backdoor.NuAgent
agent.exe
and delete it if it exists.
Close the registry editor.
More Information
Troj/Agent-DP is a backdoor Trojan for the Windows platform that provides an unauthorized remote access to the infected computer.
Once executed Troj/Agent-DP copies itself to the Windows system folder with the filename agent.exe, and in order to be able to run automatically when Windows starts up sets the registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Backdoor.NuAgent
agent.exe
Troj/Agent-DP terminates processes related to the following applications:
alogserv.exe
APVXDWIN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
Avconsol.exe
AVENGINE.EXE
AVPUPD.EXE
Avsynmgr.exe
AVWUPD32.EXE
AVXQUAR.EXE
AVXQUAR.EXE
blackd.exe
ccApp.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
CFIAUDIT.EXE
DefWatch.exe
DRWEBUPW.EXE
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
mcagent.exe
mcshield.exe
MCUPDATE.EXE
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
N32SCANW.EXE
NAV.EXE
navapsvc.exe
navapsvc.exe
NAVAPSVC.EXE
navapsvc.exe
navapw32.exe
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NISUM.EXE
NMAIN.EXE
nopdb.exe
NORMIST.EXE
NPRO
NPROTECT.EXE
NUPGRADE.EXE
NUPGRADE.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PavFires.exe
pavProxy.exe
pavsrv50.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
symlcsvc.exe
TASKMGR.EXE
TCA.EXE
TCM.EXE
TECT.EXE
UPDATE.EXE
UpdaterUI.exe
Vshwin32.exe
VsStat.exe
VsTskMgr.exe
ZONEALARM.EXE
Troj/Agent-DP modifies a Windows HOSTS file in attempt to prevent access to the following AV sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.pandasoftware.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
|
