Troj/Agent-Y

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
cmssSystemProcess = <system32>\csms.exe

and delete it if it exists.

Close the registry editor.

The Trojan will download and intsall the following files:
<System32>\csms.exe
<System32>\msmcts.dll

Troj/Agent-Y will run in the background and periodically upload results to a ftp server.

During installing, Troj/Agent-Y will set various registry entries under
HKLM\SOFTWARE\Microsoft\MSFD

In addition, it will also set the following registry entries to allow further access:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
cmssSystemProcess = <system32>\csms.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<path to mslist.exe> = "<path to mslist.exe>:*:Enabled:cmsscs"

Before downloading, the Trojan will attempt to terminate various anti-virus/firewall processes.