|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Rootkit:W32/Agent.EA
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Rootkit.Win32.Agent.ea is kernel malware that hides itself and sends spam messages. |
|
|
|
Disinfection
|
Detection and Disinfection of Rootkits
If the rootkit is not detected or it is hidden so that F-Secure Anti-Virus cannot detect its file, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found from:
http://www.f-secure.com/blacklight/
The BlackLight utility is also able to disinfect computers that are infected by rootkits. |
|
|
|
Detailed Description
|
Agent.ea arrives as a dropper that installs the main driver of the trojan and deletes itself. Upon execution, it creates the following file:
It installs the driver file as service by creating the following registry key:
- HKLM\System\CurrentControlSet\Services\windbg48
The dropper deletes itself with the following batch file:
When the driver file is activated, it might connect to one of the following remote sites in an attempt to retrieve spam messages:
- www.konskyvolos.com
- www.swinmaster.com
The driver also hides itself, its registry keys, and network traffic using rootkit techniques. The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys). |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: July 09, 2007
|
|
|
|
|
