I found a file with a server in my C:\server.exe
i tried to delete it everytime , but it keeps coming back.
i uploaded it guys.
link remove by b_b
any suggestions for removal lol?
my sister insert her usb yesterday i think with trojans and worms.
but she doesnt know anything about those stuff , so i think her usb got infected somewhere else... (internet cafe)
freaking rats
Help with annoying server dropping.
- Losing_grip
- Fame ! Where are the chicks?!
- Posts: 485
- Joined: 22 Apr 2007, 16:00
- 17
- Location: Behind Socks5
he Agent Trojan, a.k.a. TROJ_BMPAGENT specifically impacts users of the Russian language version of Windows running either Internet Explorer version 5 or 5.5.
The exploit involves a specially crafted BMP file that can allow code to run with the privileges of the impacted user. In the case of TROJ_BMPAGENT a.k.a. the Agent trojan, the user receives an email carrying the specially crafted BMP image file. When received on systems with IE 5 or IE 5.5 installed, viewing the BMP drops the file sys.exe to the root of drive C:\ and executes it. Sys.exe then downloads and executes the Throd trojan from a domain in Lybia. The Throd trojan installs itself to the system using a filename derived from one each of the following groups:
ms 16 mes
svc 32 prn
win 64 reg
For example, the filename might be ms64prn.exe.
Throd modifies the system registry to launch whenever Windows is started:
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
using one of the following names and pointing to the file described above:
MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System
Throd sends certain identifying info to the trojan author and also sends collected email address to the same remote locations. Throd is also capable of downloading and executing other presumably malicious files and it works as a proxy server as well.
Troj_BMPagent is not the first malicious exploit involving image files. In June 2002, the Perrun virus was discovered exploiting JPG image files. However, that virus required a helper application (an EXE file) in order to infect the JPG files and thus the actual threat was not from the JPG files but rather from the EXE used to exploit them. Though at the time, the Perrun virus received much publicity, it was neither noteworthy nor novel. Conversely, Troj_BMPAgent (a.k.a. Agent Trojan) is noteworthy because the executable content is coming directly from the BMP file, i.e. the threat is self-contained in the BMP file and does not require a helper application in order to execute its malware. Unless, of course, one wishes to consider IE 5 or 5.5 as an unwitting 'helper' application.
The exploit involves a specially crafted BMP file that can allow code to run with the privileges of the impacted user. In the case of TROJ_BMPAGENT a.k.a. the Agent trojan, the user receives an email carrying the specially crafted BMP image file. When received on systems with IE 5 or IE 5.5 installed, viewing the BMP drops the file sys.exe to the root of drive C:\ and executes it. Sys.exe then downloads and executes the Throd trojan from a domain in Lybia. The Throd trojan installs itself to the system using a filename derived from one each of the following groups:
ms 16 mes
svc 32 prn
win 64 reg
For example, the filename might be ms64prn.exe.
Throd modifies the system registry to launch whenever Windows is started:
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
using one of the following names and pointing to the file described above:
MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System
Throd sends certain identifying info to the trojan author and also sends collected email address to the same remote locations. Throd is also capable of downloading and executing other presumably malicious files and it works as a proxy server as well.
Troj_BMPagent is not the first malicious exploit involving image files. In June 2002, the Perrun virus was discovered exploiting JPG image files. However, that virus required a helper application (an EXE file) in order to infect the JPG files and thus the actual threat was not from the JPG files but rather from the EXE used to exploit them. Though at the time, the Perrun virus received much publicity, it was neither noteworthy nor novel. Conversely, Troj_BMPAgent (a.k.a. Agent Trojan) is noteworthy because the executable content is coming directly from the BMP file, i.e. the threat is self-contained in the BMP file and does not require a helper application in order to execute its malware. Unless, of course, one wishes to consider IE 5 or 5.5 as an unwitting 'helper' application.
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
yeup, Backdoor.Win32.Agent.ahz , I removed the link to avoid somebody accidentally infects his system too.
but every good AV program should be able to delete it, if a free one don't do the job get Kaspersky, the 30 trial is fully functional...
and best avoid any internet activity until the box is clean again...
but every good AV program should be able to delete it, if a free one don't do the job get Kaspersky, the 30 trial is fully functional...
and best avoid any internet activity until the box is clean again...