The Web    Google
3/18: Agent.E Trojan Acts as HTTP Proxy

3/18: Agent.E Trojan Acts as HTTP Proxy
March 18, 2005

Proxy-Agent.e is a Trojan intended to serve as an HTTP proxy on victim machine. When run, the Trojan copies itself to local machine. The following file names have been used:

c:\windows\system32\msgina\wuauclt2.exe (20,391) (or)
c:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\(random file name) (17,737)

A dll file is created:

c:\WINDOWS\system32\msgina32.dll (7.168) (or)
c:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\sr32.dll (6,656)

The following registry key is created:

KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "msgina" = C:\WINDOWS\system32\msgina\wuauclt2.exe (or) "sr64" = C:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\(random file name)

When running on XP service pack 2, the Trojan attempts to "Unblock" itself from the Microsoft Firewall by sending a Windows message to the firewall quickly.

The Trojan opens random ports and listens on the ports. It sends notification message via HTTP to a list of web sites carried with the trojan. It runs as a HTTP proxy. It can also download and execute files on the local machine.

The Trojan dll installs a message hook so it is loaded with every running processes. It attempts to hide the Trojan exe from being viewed.

The Trojan terminates a list of anti-virus programs.

More information can be found at McAfee page.

  • Confidence Online 2.0 Guards Against Online Identity Theft
  • 9/3: Worm Ends Antivirus Processes
  • Wi-Fi Security Review: AirMagnet
  • House to Create Homeland Security Oversight Committee
  • Author of Zafi-B Worm Trailed to Hungary
  • 5/19: Viperik-A Trojan Deletes Files & Info
  • 8/20: Rbot-GR Has Trojan Abilities
  • Deceptive Duo Hacker Changes Plea
  • 1/24: Worm_Agobot-AGK Exploits Windows Flaws
  • PGP: Extended Encryption For Compliance
  • MARID Floats Sender ID Compromise
  • Security Camera Related Information