SecurityHome.eu Rootkit:W32/Agent.EA

Home / malware PDF

Rootkit:W32/Agent.EA

First posted on 11 July 2007.
Source: SecurityHome
Aliases :
Rootkit:W32/Agent.EA is also known as Trojan.Srizbi, Agent.ea, Rootkit.Win32.Agent.ea.
Explanation :
Rootkit.Win32.Agent.ea is kernel malware that hides itself and sends spam messages.

Agent.ea arrives as a dropper that installs the main driver of the trojan and deletes itself. Upon execution, it creates the following file:

%System%windbg48.sys

It installs the driver file as service by creating the following registry key:

HKLMSystemCurrentControlSetServiceswindbg48

The dropper deletes itself with the following batch file:

%Temp%\_uninsep.bat

When the driver file is activated, it might connect to one of the following remote sites in an attempt to retrieve spam messages:

www.konskyvolos.com
www.swinmaster.com

The driver also hides itself, its registry keys, and network traffic using rootkit techniques. The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys).

Last update 11 July 2007

TOP

Rootkit:W32/Agent.EA

Aliases :

Explanation :

Malware :

Family: