Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Rootkit:W32/Agent.EA

[Summary] | [Disinfection] | [Detailed Description]

Name : Rootkit:W32/Agent.EA
Alias:Trojan.Srizbi, Agent.ea, Rootkit.Win32.Agent.ea
Type:Trojan, Rootkit
Category:Malware
Platform:W32
Radar

Summary
Rootkit.Win32.Agent.ea is kernel malware that hides itself and sends spam messages.
Back to the Top

Disinfection

Detection and Disinfection of Rootkits

If the rootkit is not detected or it is hidden so that F-Secure Anti-Virus cannot detect its file, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found from:

http://www.f-secure.com/blacklight/

The BlackLight utility is also able to disinfect computers that are infected by rootkits.
Back to the Top

Detailed Description
Agent.ea arrives as a dropper that installs the main driver of the trojan and deletes itself. Upon execution, it creates the following file:

  • %System%\windbg48.sys

It installs the driver file as service by creating the following registry key:

  • HKLM\System\CurrentControlSet\Services\windbg48

The dropper deletes itself with the following batch file:

  • %Temp%\_uninsep.bat

When the driver file is activated, it might connect to one of the following remote sites in an attempt to retrieve spam messages:

  • www.konskyvolos.com
  • www.swinmaster.com

The driver also hides itself, its registry keys, and network traffic using rootkit techniques. The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys).
Back to the Top



F-Secure Corporation

Last Modified: July 09, 2007