icq agent

Discussion in 'other software & services' started by tutankamon, Oct 22, 2003.

Thread Status:
Not open for further replies.
  1. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    I have downloaded and run aprogram called System Safety Monitor, this shows an entry HKCU\software\Mirabilis\ICQ\agent\apps is this normal?
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Programs added here can be started when ICQ starts - so if ICQ is starting automatically when you reboot, then these programs are also autostarted.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin, i wonder if i moved this one too quick to this services area and if this should not have stayed in our dear TDS environment:
    I copied the HKEY in google and found this page
    http://www.sophos.com/virusinfo/analyses/w32anaconc.html
    Telling there is a trojan using this key:
    W32-Anacon-C / I.Worm.Nocana.E
    I hope there is everything not there like that trojan?
    W32/Anacon-C is an internet worm with a backdoor component that attempts to spread via email, network shares and popular P2P networks.
    W32/Anacon-C has a backdoor component that allows a malicious user remote access to the computer when the worm is active. It also allows a malicious user to steal passwords.
    It might have tried to create this entry
    HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Shares\Hackerz

    Tut, does TDS give any alarm of any kind on some file? If so, please submit to Gavin
    submit@diamondcs.com.au
    but i'm sure Gavin has thought about this already and would have warned for this if there was any circumstance to think so.

    Please scan and keep us informed!
     
  4. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    It would appear that this line HKCU\software\Mirabilis\ICQ\agent\apps comes with the program SSM, and is a "protected Key"
    I have searched my registry and not found any folder with Mirabilis in it. My google search said that it could be a password stealing trojan, but TDS3 dos`nt show any thing suspicious. I have also run AVG6 fully updated still nothing suspicious.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Then i would keep to Gavin's reply in the first place.
    You could take ICQ from the autostart and see if it still takes place with reboot. Or with starting SSM.
    Did you contact the SSM people to to ask them if that HKEY could be theirs?
     
  6. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    UPDATE
    I have been in contact with Max at SSM site and asked the question about ICQ agenthis reply is:-
    "There's nothing to worry about. This key was added to the list of
    default-keys-to-be-monitored because (as you have noticed) there are
    some
    popular worms/trojans that use this key. In your case this key was
    created
    by SSM (this some kind of flaw -- if the key which should be monitored
    is
    absent, SSM creates it. This will be fixed in next versions), but it
    represents absolutely no harm or danger, especially since you don't
    even
    have ICQ. For your convenience you can remove this key from the list of
    monitored keys. This key itslef couldn't have any impact on your system
    in
    your case." I can rest easy now.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thank you for the update. So there is nothing to worry about, but they could have mentioned something like that in the helpfile!
    Glad it is ok after all!
     
Thread Status:
Not open for further replies.