F-Secure Malware Information Pages: Trojan:W32/Agent.EDY

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Trojan:W32/Agent.EDY

[Summary] \| [Detailed Description] \| [Detection]
Name :	Trojan:W32/Agent.EDY
Size:	398856
Type:	Trojan
Category:	Malware
Platform:	W32

Radar

Summary

Trojan:W32/Agent.EDY is a standalone trojan dropper.

It drops two EXE files on the computer.

Back to the Top

Detailed Description

Trojan:W32/Agent.EDY is detection of a trojan-dropper which is packed with a modified version of UPX file compressor.

It drops two EXE files to the user's computer.

The first file named Regscan.exe is dropped to the following location:

C:\windows\system32\regscan.exe
SHA1: 28c80315dfa691f1fb0b5b5cf3a253e416541f53

It also drops a 3Kb sized file that is named the same as the sample itself to:

C:\Documents and Settings\[UserName]\Local Settings\Temp\

Registy Changes

Launch point:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Regscan

Add these value to registry:

HKCU\Software\Microsoft\Internet Explorer\Settings\GID
HKCU\Software\Microsoft\Internet Explorer\Settings\GatesList
HKCU\Software\Microsoft\Internet Explorer\Settings\KeyE
HKCU\Software\Microsoft\Internet Explorer\Settings\KeyM

Regscan.exe posts a file called bang.cgi to various IP addresses.

Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2008-01-14_02.

Back to the Top

F-Secure Corporation

Last Modified: January 14, 2008