Trojan-Downloader:W32/Agent.BRK

Classification

Malware

Trojan-Downloader

W32

Trojan-Downloader:W32/Agent.BRK

Summary

It has come to our attention that F-Secure Anti-Virus had a false alarm on the LINEAGE.EXE file as "Trojan-Downloader.Win32.Agent.bqq" with the updates published on May 22nd, 2007. The false alarm problem is fixed in the 2007-05-22_05 anti-virus update. We are sorry for any possible inconvenience that this false alarm caused to our customers.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Execution

Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:

  • %sysdir%\drivers\runtime.sys

The component is detected as Rootkit.Win32.Agent.dw.

It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:

  • %sysdir%\drivers\ip6fw.sys

The file is replaced with a copy of Rootkit.Win32.Agent.dp.

The services are then installed and started.

Activity

Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.

It then attempts to connect to the following addresses:

  • 66.246.72.173
  • 67.18.114.98
  • 208.66.194.241

The following address were seen from newer variants of this malware:

  • 64.233.183.27
  • 66.111.4.74
  • 194.67.23.20
  • 209.85.147.27
  • 216.157.145.27
  • 216.195.61.87

It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.

The downloaded file is then saved as:

  • %sysdir%\[number]_exception.nls

The variable [number] is any number from 0 - 9.

The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an email spam bot.

Registry Changes

Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active:

  • k4j.32H_f7z_Z6e.g8G0
  • y8w.61T_i0b_Q3f.l4R7