The Web    Google
3/18: Agent.E Trojan Acts as HTTP Proxy

3/18: Agent.E Trojan Acts as HTTP Proxy
March 18, 2005

Proxy-Agent.e is a Trojan intended to serve as an HTTP proxy on victim machine. When run, the Trojan copies itself to local machine. The following file names have been used:

c:\windows\system32\msgina\wuauclt2.exe (20,391) (or)
c:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\(random file name) (17,737)

A dll file is created:

c:\WINDOWS\system32\msgina32.dll (7.168) (or)
c:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\sr32.dll (6,656)

The following registry key is created:

KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "msgina" = C:\WINDOWS\system32\msgina\wuauclt2.exe (or) "sr64" = C:\Documents and Settings\(current user)\Application Data\Microsoft\sr64\(random file name)

When running on XP service pack 2, the Trojan attempts to "Unblock" itself from the Microsoft Firewall by sending a Windows message to the firewall quickly.

The Trojan opens random ports and listens on the ports. It sends notification message via HTTP to a list of web sites carried with the trojan. It runs as a HTTP proxy. It can also download and execute files on the local machine.

The Trojan dll installs a message hook so it is loaded with every running processes. It attempts to hide the Trojan exe from being viewed.

The Trojan terminates a list of anti-virus programs.

More information can be found at McAfee page.

  • 4/8: Mytob-AB Worm Comes as Attachment
  • Virus-Powered Phishing Unleashed
  • Big Blue, GE Interlogix Team on Building Security
  • Gates Sends Letter on Spam to Congress
  • 3/30: Kelvir-F IM Worm Sends Message
  • 4/15: Kelvir-J an IM Worm
  • Sklyarov Takes Stand as ElcomSoft Begins Defense
  • 2/25: Randex-CST Worm Targets Passwords
  • Report: CEOs Stagnant on Security
  • 9/17: Backdoor.Nemog-D a Trojan Program
  • Tabbed Browsing Flaws Detected
  • Security Camera Articles