1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan-Dropper:W32/Agent.REK

Name : Trojan-Dropper:W32/Agent.REK
Detection Names : Trojan-Dropper.Win32.Agent.rek
Size:39,424
Category:Malware
Type:Trojan-Dropper
Platform:W32

Summary

Agent.REK drops and executes other malware applications on the infected system, thus compromising system security.

Additional Details

Upon execution, Agent.REK drops and executes the following files:

  •  %System%\WinNt32.dll
  •  %System%\drivers\[Random Filename].sys

Note: %System% represents a path that is typically C:\Windows\System32.

Note: [Random Filename] represents a randomly generated filename used by the trojan at the time of infection, such as Oiv23.sys and Tqy10.sys.

The dropped files are detected as Trojan-Downloader.Win32.Agent.GLH and Trojan-Dropper.Win32.Agent.REK respectively.

This Trojan creates the following registry entries as part of its installation:

  •  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32
    DLLName = "WinNt32.dll"
    StartShell = WLEventStartShell
  •  HKLM\SYSTEM\CurrentControlSet\Services\[random filename]
    ImagePath = "%System%\drivers\[random filename]
  •  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random filename].sys (default) = Driver
  •  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random filename].sys (default) = Driver

Trojan-Downloader.Win32.Agent.GLH then attempts to connect to the following IP addresses:

  •  208.66.195.15
  •  217.170.77.146
  •  66.232.113.80

Additional Note

Files detected as Trojan-Dropper.Win32.Agent.slh have the same characteristics as Agent.REK.