Author Topic: trojan.agent.rl  (Read 6674 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
« on: August 28, 2006, 05:10:46 PM »
I have a win2003sp1 server with  avast server edition installed

about five days ago i noticed periodical program error generated by various users
the program was alway the same ruhh1.exe
this program was replicated in the temporary folder of each user and only when the user was logged
scanning the directory avast found nothing

so i use ewido from my local computer and i found trojan.agent.rl in a 1.tmp in the same directory of ruhh1.exe

posting 1.tmp to

antivir found trojan/agent.rl.3
arcavir found trojan.agent.ri
avast found nothing
avg found
bitdefender found
clamav found nothing
dr.web found trojan.gromozon
fprot found nothing
fortinet found w32/
kaspersky found trojan.win32.agent.rl
nod32 found win32/agent.rl
norman found nothing
una found nothing
virusbuster found trojan.agent.dzn
vba32 found trojan.win32.agent.rl

my virus definition is 0635-0
i planned the avast program update tomomorrow morning

as this server is nodal in my institute i cannot restart it without an adequate planning

my answers are:
1-have you any suggest?
2-tomorrow i think to install ewido on the server and perform a scan from it. do you know if ewido is compatible with 2003 and avast server?
3-do you have any indication for anti malware program, that i can use on a 2003 server together with avast or do you think avast is enough?



  • Guest
Re: trojan.agent.rl
« Reply #1 on: August 30, 2006, 04:42:14 PM »
with last definition [0635-2] as of 30 August

ruhh1 was infected by Win32:Small-BTG[Trj]
1.tmp was infected by Win32:Agent-BLS[Trj]

Pitily even if an user deletes these trojan, at every login the one on 1.tmp was detected (and then deleted or moved to the chest another time)  :-[



  • Guest
Re: trojan.agent.rl
« Reply #2 on: September 05, 2006, 11:07:48 AM »

with virus definition 0635-3 it's deleted completely

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: trojan.agent.rl
« Reply #3 on: September 07, 2006, 12:07:59 PM »
I see the name 'Gromozon' here.  :o

You may want to run this tool to check for the Gromozon rootkit:
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog