Threat Description

Trojan-Downloader:​W32/Agent.BRK

Details

Aliases:Trojan-Downloader:​W32/Agent.BRK
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary



This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Trojan-Downloader:W32/Agent.BRK attempts to download and install a rootkit program onto the affected system, which then forces the computer to act as an e-mail spam-bot.

Execution

Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:

  • %sysdir%\drivers\runtime.sys

The component is detected as Rootkit.Win32.Agent.dw.

It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:

  • %sysdir%\drivers\ip6fw.sys

The file is replaced with a copy of Rootkit.Win32.Agent.dp.

The services are then installed and started.

Activity

Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.

It then attempts to connect to the following addresses:

  • 66.246.72.173
  • 67.18.114.98
  • 208.66.194.241

The following address were seen from newer variants of this malware:

  • 64.233.183.27
  • 66.111.4.74
  • 194.67.23.20
  • 209.85.147.27
  • 216.157.145.27
  • 216.195.61.87

It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.

The downloaded file is then saved as:

  • %sysdir%\[number]_exception.nls

The variable [number] is any number from 0 - 9.

The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an e-mail spam bot.

Registry Changes

Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active:

  • k4j.32H_f7z_Z6e.g8G0
  • y8w.61T_i0b_Q3f.l4R7





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More