Trojan-Downloader:W32/Agent.BRK

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

Trojan-Downloader:W32/Agent.BRK attempts to download and install a rootkit program onto the affected system, which then forces the computer to act as an e-mail spam-bot.

Execution

Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:

• %sysdir%\drivers\runtime.sys

The component is detected as Rootkit.Win32.Agent.dw.

It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:

• %sysdir%\drivers\ip6fw.sys

The file is replaced with a copy of Rootkit.Win32.Agent.dp.

The services are then installed and started.

Activity

Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.

It then attempts to connect to the following addresses:

• 66.246.72.173
• 67.18.114.98
• 208.66.194.241

The following address were seen from newer variants of this malware:

• 64.233.183.27
• 66.111.4.74
• 194.67.23.20
• 209.85.147.27
• 216.157.145.27
• 216.195.61.87

It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.

The downloaded file is then saved as:

• %sysdir%\[number]_exception.nls

The variable [number] is any number from 0 - 9.

The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an e-mail spam bot.

Registry Changes

Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active:

• k4j.32H_f7z_Z6e.g8G0
• y8w.61T_i0b_Q3f.l4R7