Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan-Downloader:W32/Agent.BRK


Aliases:


Trojan-Downloader:W32/Agent.BRK

Malware
Trojan-Downloader
W32

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Trojan-Downloader:W32/Agent.BRK attempts to download and install a rootkit program onto the affected system, which then forces the computer to act as an e-mail spam-bot.


Execution

Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:

  • %sysdir%\drivers\runtime.sys

The component is detected as Rootkit.Win32.Agent.dw.

It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:

  • %sysdir%\drivers\ip6fw.sys

The file is replaced with a copy of Rootkit.Win32.Agent.dp.

The services are then installed and started.


Activity

Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.

It then attempts to connect to the following addresses:

  • 66.246.72.173
  • 67.18.114.98
  • 208.66.194.241

The following address were seen from newer variants of this malware:

  • 64.233.183.27
  • 66.111.4.74
  • 194.67.23.20
  • 209.85.147.27
  • 216.157.145.27
  • 216.195.61.87

It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.

The downloaded file is then saved as:

  • %sysdir%\[number]_exception.nls

The variable [number] is any number from 0 - 9.

The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an e-mail spam bot.


Registry Changes

Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active:

  • k4j.32H_f7z_Z6e.g8G0
  • y8w.61T_i0b_Q3f.l4R7






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free