Troj_Agent.AMAL is a memory-resident Trojan that arrives on a system as a dropped file of other malware or as a file downloaded unknowingly by a user when visiting malicious Web site(s). It may also arrive as a spammed email message.

The said spam message targets company CEOs. The message contains fake subpoena information, including a link to a document file that requires recipients to download as a purported reference.

When executed, this Trojan modifies the system's registry to enable its automatic execution. It does this by creating certain keys and entries, and by registering itself as a Browser Helper Object (BHO).


It drops a .DLL component file that Trend Micro also detects as TROJ_AGENT.AMAL.

This Trojan opens a hidden Internet Explorer (IE) window in an attempt to connect to a possibly malicious URL. This action suggests that this Trojan can download possibly malicious files on the affected system.

Technical details can be found at this Trend Micro page.