McAfee > Theat Center > Virus Detail Page

Overview

--

This detection is for a trojan dropper, which when executed drops Proxy-Agent.af.gen and Proxy-Agent.af.

The characteristics of this trojan with regards to file names, files dropped etc.can differ from one version to another, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Backdoor.Edunet.a [BitDefender]

• Trojan.Win32/Danmec.gen!A [Microsoft]

Characteristics

-- Update July 18, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.sfgate.com/cgi-bin/blogs/sfgate/detail?blogid=19&entry_id=28215

--

When executed, this dropper could drop other malware which are detected as Proxy-Agent.af or Proxy-Agent.af.gen

The files dropped could typically include all or any the following:

• %Temp%\_check32.bat
• %Windir%\s32.txt
• %Windir%\gs32.txt
• %Windir%\db32.txt
• %Windir%\ws386.ini
• %System%\aspimgr.exe

Note:

• %Temp% is a variable that refers to the windows temp folder. By default, this is "C:\Windows\Temp"
• %System% is a variable that refers to the windows system folder. By default, this is "C:\Windows\System32"
• %Windir%  is a variable that refers to the windows folder. By default, this is "C:\Windows"

The dropped files could be configuration files, batch files and trojan files.

The trojan dropper by itself doesn’t create any registry entries for auto startup. Once the malicious files are dropped, the trojan dropper deletes itself using a batch file.

Symptoms

The dropper file by itself doesn't have any visible symptom. The user needs to look out for samples which are dropped by the dropper.

Method of Infection

This dropper does not self-replicate. It could spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update July 18, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.sfgate.com/cgi-bin/blogs/sfgate/detail?blogid=19&entry_id=28215

--

This detection is for a trojan dropper, which when executed drops Proxy-Agent.af.gen and Proxy-Agent.af.

The characteristics of this trojan with regards to file names, files dropped etc.can differ from one version to another, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases

• Backdoor.Edunet.a [BitDefender]

• Trojan.Win32/Danmec.gen!A [Microsoft]

Characteristics

Characteristics -

-- Update July 18, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.sfgate.com/cgi-bin/blogs/sfgate/detail?blogid=19&entry_id=28215

--

When executed, this dropper could drop other malware which are detected as Proxy-Agent.af or Proxy-Agent.af.gen

The files dropped could typically include all or any the following:

• %Temp%\_check32.bat
• %Windir%\s32.txt
• %Windir%\gs32.txt
• %Windir%\db32.txt
• %Windir%\ws386.ini
• %System%\aspimgr.exe

Note:

• %Temp% is a variable that refers to the windows temp folder. By default, this is "C:\Windows\Temp"
• %System% is a variable that refers to the windows system folder. By default, this is "C:\Windows\System32"
• %Windir%  is a variable that refers to the windows folder. By default, this is "C:\Windows"

The dropped files could be configuration files, batch files and trojan files.

The trojan dropper by itself doesn’t create any registry entries for auto startup. Once the malicious files are dropped, the trojan dropper deletes itself using a batch file.

Symptoms

Symptoms -

The dropper file by itself doesn't have any visible symptom. The user needs to look out for samples which are dropped by the dropper.

Method of Infection

Method of Infection -

This dropper does not self-replicate. It could spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A