Rootkit:W32/Agent.EA is a kernel-mode rootkit program that is capable of hiding its presence and activity from the user. While active, the rootkit uses the infected computer to sends spam messages.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Agent.EA arrives as a dropper that installs the main driver of the trojan and deletes itself. Upon execution, it creates the following file:
It installs the driver file as service by creating the following registry key:
The dropper deletes itself with the following batch file:
When the driver file is activated, it might connect to one of the following remote sites in an attempt to retrieve spam messages:
The driver also hides itself, its registry keys, and network traffic using rootkit techniques. The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys).