Win32 Agent: A Spy Trojan Horse

Win32 Agent: A Spy Trojan Horse
Page content

What is a Win32 Agent?

A Win32 Agent is a Trojan horse that copies itself on several locations on the hard drive of a computer system. It writes the executable files in system32 directory of windows, in the temporary directory, creates new entries, and modifies the existing entries in the system registry, allowing it to run at every startup.

The Trojan then begins to enumerates the list of the open window and running processes on the computer system and shares the memory of these processes to run its own code. In this manner, it remains hidden from the user.

How it Works

Since, Trojans attempt to execute themselves in the background, they doesn’t require user intervention. As a result, they remain hidden from the user, unless detected by an antivirus, a Trojan remover or a malware remover. Win32 Agent works by copying several files in the windows\system32 directory and in the temp directory. It then creates a new registry entry in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\currentversion\winlogon\notify\dddcaabddebacd\ and adds a number of new values corresponding to this new entry like, logoff, logon, startup, shutdown and many other values.

It also modifies the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\currentversion\winlogon entry present in the system registry with a new value.

Removal Instructions for Win32 Agent

Like other Trojans, Win32 Agent also makes changes to the system registry. Therefore, it is necessary to use software that deletes the new entries created by the Trojan and changes the modified registry values to their original value. I recommend using Trojan Remover as I have myself tested the software. Download Trojan Remover and update it first. Then, perform a quick scan of the computer system followed by a complete scan of the hard drive to remove any traces of the Win32 Agent Trojan left in the system.

As a safety measure, download and install SpyBot to remove any spyware or adware present in your computer system. You can also use McAfee to remove such Trojans, as it is capable of effectively remove such Trojans and also revert back the changes made in the system registry.

Common Detection Names

Microsoft worm:win32/swimnag.gen

Kaspersky/vba32 Trojan.Win32

AVG (GriSoft)/Symantec Trojan horse

Panda Trj/CI.A

Eset Win32/Agent

How to Avoid a Win32 Agent

So you now what a Win32 Agent is, how it works, and how to remove it, but the important question here is how to manage to avoid getting this version of a Trojan horse in the first place.

The most important thing to avoiding this strain is to make sure that your operating system and that of your antivirus program are both updated. Updates are usually done on a daily, weekly, or monthly cycle, done to address any new malicious threats that can be found on the Internet. With an updated system and antivirus, there’s a higher chance that any change in programs on your computer will be detected or even stopped.

Another thing is to be careful on where you go and what links you click on the Internet. Hackers and thieves are becoming much more savvy in regards to tricking users into believing that what they are seeing, such as an email supposedly coming from their bank, is real. If links, websites, or email appear to be suspicious, avoid them; if you receive an email from your bank, for instance, stating they need your information, open a separate browser window and go directly to the website or give the bank a call.

A good majority of companies that register users or send out emails for their clients and customers will never ask for personal information through email correspondence. Knowing all about a Win32 agent - what it is, how it works, how to remove it, and how to avoid it - goes a long way in making sure that your computer and your information stays safe.