F-Secure
Tools
Rootkit:W32/Agent.EA
| Name : | Rootkit:W32/Agent.EA |
| Category: | Malware |
| Type: | Trojan, Rootkit |
| Platform: | W32 |
Summary
Rootkit.Win32.Agent.ea is kernel malware that hides itself and sends spam messages.
Disinfection
Detection and Disinfection of Rootkits
If the rootkit is not detected or it is hidden so that F-Secure Anti-Virus cannot detect its file, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found from:
http://www.f-secure.com/blacklight/
The BlackLight utility is also able to disinfect computers that are infected by rootkits.
If the rootkit is not detected or it is hidden so that F-Secure Anti-Virus cannot detect its file, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found from:
http://www.f-secure.com/blacklight/
The BlackLight utility is also able to disinfect computers that are infected by rootkits.
Additional Details
Agent.ea arrives as a dropper that installs the main driver of the trojan and deletes itself. Upon execution, it creates the following file:
It installs the driver file as service by creating the following registry key:
The dropper deletes itself with the following batch file:
When the driver file is activated, it might connect to one of the following remote sites in an attempt to retrieve spam messages:
The driver also hides itself, its registry keys, and network traffic using rootkit techniques. The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys).
• %System%\windbg48.sys
It installs the driver file as service by creating the following registry key:
• HKLM\System\CurrentControlSet\Services\windbg48
The dropper deletes itself with the following batch file:
• %Temp%\_uninsep.bat
When the driver file is activated, it might connect to one of the following remote sites in an attempt to retrieve spam messages:
• www.konskyvolos.com
• www.swinmaster.com
The driver also hides itself, its registry keys, and network traffic using rootkit techniques. The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys).