1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Trojan:W32/Agent.EDY

Name : Trojan:W32/Agent.EDY
Size:398856
Category:Malware
Type:Trojan
Platform:W32

Summary

Trojan:W32/Agent.EDY is a standalone trojan dropper.

It drops two EXE files on the computer.

Additional Details

Trojan:W32/Agent.EDY is detection of a trojan-dropper which is packed with a modified version of UPX file compressor.

It drops two EXE files to the user's computer.

The first file named Regscan.exe is dropped to the following location:

  • C:\windows\system32\regscan.exe
SHA1: 28c80315dfa691f1fb0b5b5cf3a253e416541f53

It also drops a 3Kb sized file that is named the same as the sample itself to:

  • C:\Documents and Settings\[UserName]\Local Settings\Temp\

Registy Changes

Launch point:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Regscan

Add these value to registry:

  • HKCU\Software\Microsoft\Internet Explorer\Settings\GID
  • HKCU\Software\Microsoft\Internet Explorer\Settings\GatesList
  • HKCU\Software\Microsoft\Internet Explorer\Settings\KeyE
  • HKCU\Software\Microsoft\Internet Explorer\Settings\KeyM

Regscan.exe posts a file called bang.cgi to various IP addresses.

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2008-01-14_02.