Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Trojan-Downloader:W32/Agent.BRK


Aliases:

Trojan-Downloader:W32/Agent.BRK

Malware
Trojan-Downloader
W32

Summary

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.



Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Trojan-Downloader:W32/Agent.BRK attempts to download and install a rootkit program onto the affected system, which then forces the computer to act as an e-mail spam-bot.


Execution

Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:

  • %sysdir%\drivers\runtime.sys

The component is detected as Rootkit.Win32.Agent.dw.

It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:

  • %sysdir%\drivers\ip6fw.sys

The file is replaced with a copy of Rootkit.Win32.Agent.dp.

The services are then installed and started.


Activity

Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.

It then attempts to connect to the following addresses:

  • 66.246.72.173
  • 67.18.114.98
  • 208.66.194.241

The following address were seen from newer variants of this malware:

  • 64.233.183.27
  • 66.111.4.74
  • 194.67.23.20
  • 209.85.147.27
  • 216.157.145.27
  • 216.195.61.87

It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.

The downloaded file is then saved as:

  • %sysdir%\[number]_exception.nls

The variable [number] is any number from 0 - 9.

The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an e-mail spam bot.


Registry Changes

Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active:

  • k4j.32H_f7z_Z6e.g8G0
  • y8w.61T_i0b_Q3f.l4R7








Submit a sample

Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)



F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.