1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Trojan-Dropper:W32/Agent.REK

Trojan-Dropper:W32/Agent.REK

Name : Trojan-Dropper:W32/Agent.REK
Detection Names : Trojan-Dropper.Win32.Agent.rek
Size:39,424
Category:Malware
Type:Trojan-Dropper
Platform:W32

Summary

Agent.REK drops and executes other malware applications on the infected system, thus compromising system security.

Additional Details

Upon execution, Agent.REK drops and executes the following files:

  • %System%\WinNt32.dll
  • %System%\drivers\[Random Filename].sys

Note: %System% represents a path that is typically C:\Windows\System32.

Note: [Random Filename] represents a randomly generated filename used by the trojan at the time of infection, such as Oiv23.sys and Tqy10.sys.

The dropped files are detected as Trojan-Downloader.Win32.Agent.GLH and Trojan-Dropper.Win32.Agent.REK respectively.

This Trojan creates the following registry entries as part of its installation:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32
DLLName = "WinNt32.dll"
StartShell = WLEventStartShell
  • HKLM\SYSTEM\CurrentControlSet\Services\[random filename]
ImagePath = "%System%\drivers\[random filename]
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random filename].sys (default) = Driver
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random filename].sys (default) = Driver

Trojan-Downloader.Win32.Agent.GLH then attempts to connect to the following IP addresses:

  • 208.66.195.15
  • 217.170.77.146
  • 66.232.113.80

Additional Note

Files detected as Trojan-Dropper.Win32.Agent.slh have the same characteristics as Agent.REK.