Trojan-Dropper:W32/Agent.REK

Upon execution, Agent.REK drops and executes the following files:

• %System%\WinNt32.dll
• %System%\drivers\[Random Filename].sys

Note: %System% represents a path that is typically C:\Windows\System32. Note: [Random Filename] represents a randomly generated filename used by the trojan at the time of infection, such as Oiv23.sys and Tqy10.sys. The dropped files are detected as Trojan-Downloader.Win32.Agent.GLH and Trojan-Dropper.Win32.Agent.REK respectively. This Trojan creates the following registry entries as part of its installation:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 DLLName = "WinNt32.dll" StartShell = WLEventStartShell
• HKLM\SYSTEM\CurrentControlSet\Services\[random filename] ImagePath = "%System%\drivers\[random filename]
• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random filename].sys (default) = Driver
• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random filename].sys (default) = Driver

Trojan-Downloader.Win32.Agent.GLH then attempts to connect to the following IP addresses:

• 208.66.195.15
• 217.170.77.146
• 66.232.113.80

Additional Note

Files detected as Trojan-Dropper.Win32.Agent.slh have the same characteristics as Agent.REK.