TrojanDropper:Win32/Agent.gen!I is a generic detection for malware that drops other malware.
It may drop files as the following:
- <startup folder>\<random file name 1>.exe
- <system folder>\<random file name 2>.dll
Note 1 - <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
Note 2 - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It usually adds its dropped DLL file as a service, allowing it to automatically run when Windows starts.
For example, a particular variant of TrojanDropper:Win32/Agent.gen!I is known to do the following:
It creates the following files:
TrojanDropper:Win32/Agent.gen!I then adds the following registry entries to allow its dropped DLL file to automatically run when Windows starts:
Adds value: "Description"
With data: "service advertising protocol."
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Nwsapagent
Adds value: "ServiceDll"
With data: "<system folder>\nwagentsdt.dll"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Nwsapagent\Parameters
Analysis by Francis Allan Tan Seng