Additional Details
Agent.JRY is trojan-downloader. It attempts to secretly download and run other files from remote Web or FTP sites.
Usually, trojan-downloaders attempt to download various trojans and backdoors and activate them on the infected system. Some worms and backdoors have downloader capabilities.
Trojan-Downloader.Win32.Agent.jry arrives on the system through spammed e-mails as an attachment, typically named complaint.scr with the icon of a pdf file.
Registry Changes
Trojan-Downloader.Win32.Agent.jry will create the following registry entry:
• HKLM\Software\Classes\.key
PayloadWhen executed, this trojan-downloader will download files from:
• http://www.[removed].at/cms/modules/EZCMS/pictures/defailt/irs_efill.php
The file is downloaded to %WINDIR%\svchost.exe and run. The site was active and hosts Trojan-Spy.Win32.Agent.bnb as of March 6, 2008.
Additionally, it will download a legitimate PDF file from:
• http://www.irs.gov/pub/irs-pdf/f3949a.pdf
It opens the PDF file to disguise its intentions.