|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan-Downloader:W32/Agent.JRY
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Agent.JRY connects to a website to download additional malware, as well as opens a legitimate PDF file from a legitimate site. |
|
|
|
Detailed Description
|
Agent.JRY is trojan-downloader. It attempts to secretly download and run other files from remote Web or FTP sites.
Usually, trojan-downloaders attempt to download various trojans and backdoors and activate them on the infected system. Some worms and backdoors have downloader capabilities.
Trojan-Downloader.Win32.Agent.jry arrives on the system through spammed e-mails as an attachment, typically named complaint.scr with the icon of a pdf file.
Registry Changes
Trojan-Downloader.Win32.Agent.jry will create the following registry entry:
- HKLM\Software\Classes\.key
Payload
When executed, this trojan-downloader will download files from:
- http://www.[removed].at/cms/modules/EZCMS/pictures/defailt/irs_efill.php
The file is downloaded to %WINDIR%\svchost.exe and run. The site was active and hosts Trojan-Spy.Win32.Agent.bnb as of March 6, 2008.
Additionally, it will download a legitimate PDF file from:
- http://www.irs.gov/pub/irs-pdf/f3949a.pdf
It opens the PDF file to disguise its intentions. |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: March 07, 2008
|
|
|
|
|
