1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan-Downloader:W32/Agent.JRY

Name : Trojan-Downloader:W32/Agent.JRY
Size:147,256
Category:Malware
Type:Trojan-Downloader
Platform:W32

Summary

Agent.JRY connects to a website to download additional malware, as well as opens a legitimate PDF file from a legitimate site.

Additional Details

Agent.JRY is trojan-downloader. It attempts to secretly download and run other files from remote Web or FTP sites.

Usually, trojan-downloaders attempt to download various trojans and backdoors and activate them on the infected system. Some worms and backdoors have downloader capabilities.

Trojan-Downloader.Win32.Agent.jry arrives on the system through spammed e-mails as an attachment, typically named complaint.scr with the icon of a pdf file.

Registry Changes

Trojan-Downloader.Win32.Agent.jry will create the following registry entry:

  • HKLM\Software\Classes\.key

Payload

When executed, this trojan-downloader will download files from:

  • http://www.[removed].at/cms/modules/EZCMS/pictures/defailt/irs_efill.php

The file is downloaded to %WINDIR%\svchost.exe and run. The site was active and hosts Trojan-Spy.Win32.Agent.bnb as of March 6, 2008.

Additionally, it will download a legitimate PDF file from:

  • http://www.irs.gov/pub/irs-pdf/f3949a.pdf

It opens the PDF file to disguise its intentions.