#0 - Jan. 10, 2007, 8:46 p.m.
I hope this will save some poeple and remember to get a good virus scanner, firewall(if you have one on your router ENABLE IT!!!), and spyware searcher.
----------------------------------------------------
Type: Trojan
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, 2000, XP, Server 2003
Encrypted: No
Overall risk rating Low
Reported infections: Low
Damage potential: Medium
Distribution potential: Low
Description:
This Trojan may be dropped or downloaded by another malware program.
It modifies a valid system file in order to download and execute files from the URL http://2{BLOCKED}7.105.52. As of this writing, however, the said URL is inaccessible.
Solution:
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your computer with your Trend Micro antivirus product.
NOTE the path and file name of all files detected as TROJ_AGENT.CQE.
Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.
Restarting in Safe Mode
This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.
Editing the Registry
This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:
HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entry from the Registry on Windows 2000, XP, and Server 2003
Removing autostart entries from the registry prevents the malware from executing at startup.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
SystemMgr = "{Malware path and file name of original malware file}"
Close Registry Editor.
Deleting the Malware File(s)
Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
IR32_A.EXE
In the Look In drop-down list, select the drive that contains Windows, then press Enter.
Once located, select the file then press Delete.
Repeat the steps above to delete the file REG.GIN on Windows 98 and ME.
Restoring an Overwritten File on Windows 98 and ME
The file WS2_32.DLL, which has been overwritten by the malware, can be restored from backup by restarting in MS-DOS prompt and replacing the aforementioned file with its original copy from backup.
Restoring AUTOEXEC.BAT on Windows 98 and ME
Open AUTOEXEC.BAT using Notepad. Click Start>Run, type this text string in the Open input box then press Enter:
notepad c:\autoexec.bat
Delete the following entries created by the malware:
echo off
copy C:\Windows\SYSTEM\Ir32_a.dll C:\Windows\SYSTEM\ws2_32.dll
del C:\Windows\SYSTEM\Ir32_a.dll
del {malware path and file name of original malware file}
Close AUTOEXEC.BAT and click Yes when prompted to save.
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Running Trend Micro Antivirus
If you are currently running in safe mode, please restart your computer normally before performing the following solution.
Scan your computer with Trend Micro antivirus and delete files detected as TROJ_AGENT.CQE. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
Details:
This Trojan may be dropped or downloaded by another malware program.
On Windows 2000, XP, and Server 2003 systems, it drops a copy of itself as IR32_A.EXE in the Windows system folder. On systems running Windows 98 and ME, it drops the following files in the same folder:
Ir32_a.dll - modified from WS2_32.DLL
p_1 - modified from AUTOEXEC.BAT
reg.gin - non-malicious file
Furthermore, on Windows 98 and ME, it adds the following lines in the valid system file AUTOEXEC.BAT:
echo off
copy C:\Windows\SYSTEM\Ir32_a.dll C:\Windows\SYSTEM\ws2_32.dll
del C:\Windows\SYSTEM\Ir32_a.dll
del {Malware path and file name of original malware file}
It creates the following registry entry on Windows 2000, XP, and Server 2003 systems to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SystemMgr = "{Malware path and file name of original malware file}"
On Windows 98 and ME systems, it overwrites the valid file WS2_32.DLL in order to download and execute possibly-malicious files from the URL http://2{BLOCKED}7.105.52. As of this writing, however, the said URL is inaccessible.
This Trojan does not reside in the affected system's memory on Windows 98 and ME. On Windows 2000, XP, and Server 2003, however, it injects itself into the process EXPLORER.EXE to stay resident in the affected system's memory.
This Trojan runs on Windows 98, ME, 2000, XP, and Server 2003.
