Home > Threat descriptions >

Trojan-Downloader:W32/Agent.BRK

Classification

Category: Malware

Type: Trojan-Downloader

Aliases: Trojan-Downloader:W32/Agent.BRK

Summary


It has come to our attention that F-Secure Anti-Virus had a false alarm on the LINEAGE.EXE file as "Trojan-Downloader.Win32.Agent.bqq" with the updates published on May 22nd, 2007. The false alarm problem is fixed in the 2007-05-22_05 anti-virus update. We are sorry for any possible inconvenience that this false alarm caused to our customers.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Execution

Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:

  • %sysdir%\drivers\runtime.sys

The component is detected as Rootkit.Win32.Agent.dw.

It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:

  • %sysdir%\drivers\ip6fw.sys

The file is replaced with a copy of Rootkit.Win32.Agent.dp.

The services are then installed and started.

Activity

Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.

It then attempts to connect to the following addresses:

  • 66.246.72.173
  • 67.18.114.98
  • 208.66.194.241

The following address were seen from newer variants of this malware:

  • 64.233.183.27
  • 66.111.4.74
  • 194.67.23.20
  • 209.85.147.27
  • 216.157.145.27
  • 216.195.61.87

It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.

The downloaded file is then saved as:

  • %sysdir%\[number]_exception.nls

The variable [number] is any number from 0 - 9.

The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an email spam bot.

Registry Changes

Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active:

  • k4j.32H_f7z_Z6e.g8G0
  • y8w.61T_i0b_Q3f.l4R7