It has come to our attention that F-Secure Anti-Virus had a false alarm on the LINEAGE.EXE file as "Trojan-Downloader.Win32.Agent.bqq" with the updates published on May 22nd, 2007. The false alarm problem is fixed in the 2007-05-22_05 anti-virus update. We are sorry for any possible inconvenience that this false alarm caused to our customers.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
For more Support
Community
Find the latest advice in our Community.
User Guide
See the user guide for your product on the Help Center.
Submit a sample
Submit a file or URL for further analysis.
Trojan-Downloader:W32/Agent.BRK drops the following driver component once it has been executed:
The component is detected as Rootkit.Win32.Agent.dw.
It also replaces the file for the Microsoft Windows IPv6 Windows Firewall Driver service:
The file is replaced with a copy of Rootkit.Win32.Agent.dp.
The services are then installed and started.
Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process.
It then attempts to connect to the following addresses:
The following address were seen from newer variants of this malware:
It attempts to download another malware component by sending an HTTP GET command with some details regarding the infected machine.
The downloaded file is then saved as:
The variable [number] is any number from 0 - 9.
The downloaded malware is currently detected as Rootkit.Win32.Agent.ey and makes the infected machine act as an email spam bot.
Trojan-Downloader:W32/Agent.BRK may create any of the following mutex while active: