1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Rootkit:W32/Agent.EA

Rootkit:W32/Agent.EA

Name : Rootkit:W32/Agent.EA
Category:Malware
Type:Trojan, Rootkit
Platform:W32

Summary

Rootkit.Win32.Agent.ea is kernel malware that hides itself and sends spam messages.

Disinfection

Detection and Disinfection of Rootkits

If the rootkit is not detected or it is hidden so that F-Secure Anti-Virus cannot detect its file, it is still possible to detect the malicious activity by scanning the system with a generic rootkit scanner, such as F-Secure BlackLight. More information about F-Secure BlackLight Rootkit Elimination Technology can be found from:

http://www.f-secure.com/blacklight/

The BlackLight utility is also able to disinfect computers that are infected by rootkits.

Additional Details

Agent.ea arrives as a dropper that installs the main driver of the trojan and deletes itself. Upon execution, it creates the following file:

  • %System%\windbg48.sys

It installs the driver file as service by creating the following registry key:

  • HKLM\System\CurrentControlSet\Services\windbg48

The dropper deletes itself with the following batch file:

  • %Temp%\_uninsep.bat

When the driver file is activated, it might connect to one of the following remote sites in an attempt to retrieve spam messages:

  • www.konskyvolos.com
  • www.swinmaster.com

The driver also hides itself, its registry keys, and network traffic using rootkit techniques. The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys).