It has come to our attention that F-Secure Anti-Virus had a false alarm on the LINEAGE.EXE file as "Trojan-Downloader.Win32.Agent.bqq" with the updates published on May 22nd, 2007. The false alarm problem is fixed in the 2007-05-22_05 anti-virus update. We are sorry for any possible inconvenience that this false alarm caused to our customers.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:
The component is detected as Rootkit.Win32.Agent.dw.
It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:
The file is replaced with a copy of Rootkit.Win32.Agent.dp.
The services are then installed and started.
Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.
It then attempts to connect to the following addresses:
The following address were seen from newer variants of this malware:
It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.
The downloaded file is then saved as:
The variable [number] is any number from 0 - 9.
The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an email spam bot.
Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active:
Date Created: -
Date Last Modified: -