Proxy-Agent.e is a Trojan intended to serve as an HTTP proxy on victim machine. When run, the Trojan copies itself to local machine. The following file names have been used:
c:\windows\system32\msgina\wuauclt2.exe (20,391) (or)
c:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\(random file name) (17,737)
A dll file is created:
c:\WINDOWS\system32\msgina32.dll (7.168) (or)
c:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\sr32.dll (6,656)
The following registry key is created:
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "msgina" = C:\WINDOWS\system32\msgina\wuauclt2.exe (or) "sr64" = C:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\(random file name)
When running on XP service pack 2, the Trojan attempts to "Unblock" itself from the Microsoft Firewall by sending a Windows message to the firewall quickly.
The Trojan opens random ports and listens on the ports. It sends notification message via HTTP to a list of web sites carried with the trojan. It runs as a HTTP proxy. It can also download and execute files on the local machine.
The Trojan dll installs a message hook so it is loaded with every running processes. It attempts to hide the Trojan exe from being viewed.
The Trojan terminates a list of anti-virus programs.
More information can be found at McAfee page.
3/18: Agent.E Trojan Acts as HTTP Proxy
