This application requires Javascript for optimal performance.

W32/Agent.C!tr - Released Dec 06, 2005 - Last Updated Mar 11, 2008

Alias/es

W32/Agent.C-kit, W32/Agent.C-tr, Virus.Win32.Agent.c, W32/Autorun.worm.n, W32/SillyFD-O, WORM_AGENT.MY

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The file commdlgdll.exe  exists in the System folder.

  • The following hidden files exist in the root folders of all removable/floppy drives:

    • autorun.inf
    • driver.exe

Detailed Analysis

  • Drops a copy of itself to the System folder as commdlgdll.exe.

  • Creates the following registry entry to automatically execute iteself during startup:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      commdlg.dll = "%System%\commdlgdll.exe"
  • Drops a copy of itself to all removable/floppy drives as driver.exe.

  • Drops the file autorun.inf  to automatically execute its dropped copy whenever the drive is accessed. The following are the contents of this file:
    [Autorun]
    Open=driver.exe
    shellexecute=driver.exe
    shell\Auto\command=driver.exe
    Shell=Auto

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.


Reference: ID - 6739