Avast WEBforum

Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: withivy on August 28, 2006, 05:10:46 PM

Title: trojan.agent.rl
Post by: withivy on August 28, 2006, 05:10:46 PM
I have a win2003sp1 server with  avast server edition installed

about five days ago i noticed periodical program error generated by various users
the program was alway the same ruhh1.exe
this program was replicated in the temporary folder of each user and only when the user was logged
scanning the directory avast found nothing

so i use ewido from my local computer and i found trojan.agent.rl in a 1.tmp in the same directory of ruhh1.exe

posting 1.tmp to virusscan.jotti.org

antivir found trojan/agent.rl.3
arcavir found trojan.agent.ri
avast found nothing
avg found agent.io
bitdefender found trojan.agent.tn
clamav found nothing
dr.web found trojan.gromozon
fprot found nothing
fortinet found w32/agent.rl.tr
kaspersky found trojan.win32.agent.rl
nod32 found win32/agent.rl
norman found nothing
una found nothing
virusbuster found trojan.agent.dzn
vba32 found trojan.win32.agent.rl

my virus definition is 0635-0
i planned the avast program update tomomorrow morning

as this server is nodal in my institute i cannot restart it without an adequate planning

my answers are:
1-have you any suggest?
2-tomorrow i think to install ewido on the server and perform a scan from it. do you know if ewido is compatible with 2003 and avast server?
3-do you have any indication for anti malware program, that i can use on a 2003 server together with avast or do you think avast is enough?

Title: Re: trojan.agent.rl
Post by: withivy on August 30, 2006, 04:42:14 PM
with last definition [0635-2] as of 30 August

ruhh1 was infected by Win32:Small-BTG[Trj]
1.tmp was infected by Win32:Agent-BLS[Trj]

Pitily even if an user deletes these trojan, at every login the one on 1.tmp was detected (and then deleted or moved to the chest another time)  :-[

Title: Re: trojan.agent.rl
Post by: withivy on September 05, 2006, 11:07:48 AM

with virus definition 0635-3 it's deleted completely
Title: Re: trojan.agent.rl
Post by: FreewheelinFrank on September 07, 2006, 12:07:59 PM
I see the name 'Gromozon' here.  :o

You may want to run this tool to check for the Gromozon rootkit: