win32 trojan agent

Hi malware fighters,

Found on Windows XP SP2 windows trojan agent with Ad-aware three registry keys:
HKEY_CLASSES_ROOT: clsid (48e59293-9880-11cf-9754-00aa00c00908)
HKEY_CLASSES_ROOT: interface (48e59293-9880-11cf-9754-00aa00c00908)
HKEY_CLASSES_ROOT: typelib (48e59293-9880-11cf-9754-00aa00c00908)

Is this real, a FP. Only recent install made Alkali Telescope metasearch program.
Anyone more info?

polonus

A google search for your first clsid (48e59…0908) returns many hits this is just one http://www.sophos.com/virusinfo/analyses/trojangelfred.html these are reported as troj/Anglefire by sophos.

This section contains the description and advanced technical information

Troj/Angelfre-D is an IRC backdoor Trojan which allows unauthorized access and control over the computer via IRC channels.

Upon execution Troj/Angelfre-D drops the following files to the \COMP folder:

MSINET.OCX - OCX file which transfers control to the DLL
VB6STKIT.DLL - Visual Basic6 DLL

Troj/Angelfre-D then creates the following entries:

HKCR\CLSID{48E59293-9880 -11CF-9754-00AA00C00908}\InprocServer32

HKCR\CLSID{48E59293-9880 -11CF-9754-00AA00C00908}\ToolboxBitmap32

HKCR\CLSID{48E59293-9880 -11CF-9754-00AA00C00908}\1.0\0\win32

Hi DavidR,

I do not use IRC so, then when I googled for the registry key and Ad-aware it was denoted as a false positive, so. To adjust the registry I have to go to safe mode I guess, but at the moment I leave it, because the other symptoms of downloaders were not found.

I base my standpoint on the info here: http://www.dslreports.com/forum/remark,16887509

polonus

OK, I just downloaded the latest AdAware update and got the same three as you plus an other three and I believe they are all false positive detections as I like you have none of the associated signs or symptoms. I don’t use IRC either.

I too have chosen not to do anything (not even ignore, but I suspect on your next adaware scan they will not be detected. It might be worth a look at the adaware forums.

I only run AdAware after an update so there is no delay that might cause doubt that I had caught something.

Hi DavidR,

Just as you foretold, this time the Ad-Aware scan was clean. So a FP. Annoying thing, this not being the first time they have one.

polonus

Yes, I take every detection with a degree of caution, when you consider the precautions you (and I) take infection is unlikely, however, it could happen. I don’t mind when they indicate files, these can easily be checked (and quarantined with little risk of harm) but when they detect registry entries, deletion or quarantine can have serious effects if false.

Of late the only detections I have had for Spybot S&D and AdAware have been FPs, which basically confirms my proactive precautions goes a long way to protecting you. I’m in the process of downloading the adaware updates now.