English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Agent2.lmu

Detected Jul 26 2010 05:39 GMT
Released Jul 26 2010 12:48 GMT
Published Sep 19 2011 15:21 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

The trojan is a spyware component. It is a Windows dynamic-link library (PE-DLL file). 5120 bytes. UPX packed. Unpacked size – around 10 kB. Written in C++.


Payload

By loading any process to the address space, the malicious library installs a hook to track the messages in the system queue. The following "ws2_32.dll" library functions are also intercepted:

WSASend
send
recv
WSARecv
This allows the trojan to track incoming and outgoing traffic for the infected process, recording the collected data to the following files:
%Temp%\mpz.tmp
%Temp%\mpz.s
%Temp%\r43q34.tmp
c:\email_sent.txt
c:\ftp.txt
c:\email.txt


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Using Task Manager, end the process containing the malicious library in its address space.
  2. Delete the original trojan file (its location on the infected computer will depend on how it got onto the computer).
  3. Delete the following files:
    %Temp%\mpz.tmp
    %Temp%\mpz.s
    %Temp%\r43q34.tmp
    c:\email_sent.txt
    c:\ftp.txt
    c:\email.txt
    
  4. Run a full Kaspersky Antivirus scan with updated antivirus databases (download trial version).


MD5: D807AA04480D1D149F7A4CAC22984188
SHA1: FFD5BE65FD10017E34C11CECD105EBF4AA6C0CD9


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Other versions

Aliases

Trojan.Win32.Agent2.lmu (Kaspersky Lab) is also known as:

  • Trojan: Generic BackDoor!crv (McAfee)
  • Mal/Generic-L (Sophos)
  • W32/BackdoorX.EAIC (FPROT)
  • Backdoor:Win32/Koceg.B (MS(OneCare))
  • Trojan.PWS.Pace (DrWeb)
  • Win32/PSW.Agent.NHG trojan (Nod32)
  • Trojan.Socks.B (BitDef7)
  • Trojan.Agent2!EHROmMJ9TqM (VirusBuster)
  • Win32:Small-KCM [Trj] (AVAST)
  • Trojan.Win32.Agent2 (Ikarus)
  • Downloader.Zlob.12.S (AVG)
  • TR/Spy.Gen (AVIRA)
  • Downloader (NAV)
  • W32/DLoader.AKGPO (Norman)
  • Trojan.Win32.Agent2.lmu [AVP] (FSecure)
  • Trojan.Win32.Generic!BT (Sunbelt)
  • Trojan.Agent2!EHROmMJ9TqM (VirusBusterBeta)