Trojan. Win32.Agent. cw proxy Trojan Analysis

Virus name: Trojan. Win32.Agent. cw

Virus Type: Trojan

File MD5: 7127fc4576a589f8cb20ab80d2c6a016

File length: 93,701 bytes

Infected system: Windows 98 or later

Shelling type: PECompact 2.x

Virus description:

The virus is a trojan. After the virus runs, the virus file is derived to the system directory. Create a service and start it at random. Download a virus file over a network. Download and spread it through malicious websites or other viruses/Trojans. This virus can steal sensitive user information.

Behavior Analysis:

1. After the file is run, the following files will be generated:

%System321_mdn.exe 61,952

2. Create a service and start the service at random:

Service name: Accelerator Tools

Display name: Messenger Accelerator

Description Language: NULL

File Path: c: WINDOWSsystem32mdn.exe

Start mode: automatic

3. Modify the registry and change the default path in Internet Settings from the current user folder to the LocalService folder.

4. Download virus files from the Connected Network

5. Download and spread through malicious websites and other viruses/Trojans. The virus can steal sensitive user information.

Note:

% Windir % mongodws directory

% DriveLetter % logical drive root directory

% ProgramFiles % default system program installation directory

% HomeDrive % partition of the current startup system

% Documents and Settings % root directory of the current user document

% Temp % current user TEMP cache variable; Path:

% Documents and Settings % current user \ Local SettingsTemp

% System32 % is a mutable path;

The virus queries the operating system to determine the location of the current System32 folder;

In Windows2000/NT, the default installation path is C: WinntSystem32;

In Windows 95/98/Me, the default installation path is C: WindowsSystem;

In Windows XP, the default installation path is C: WindowsSystem32.

Clear Solution:

1. You can use the CERT Trojan line to completely clear the virus (recommended). Please download www.antiy.com from the CERT website.

2. manually clear the file according to the behavior analysis and restore the relevant system settings. We recommend that you use the ATool tool ).

(1) Use the CERT Trojan defense line or the "Process Management" in the ATool to disable virus processes.

(2) Forcibly delete virus files

%System321_mdn.exe 61,952

(3) Disable service Accelerator Tools