When run Troj/Agent-GYS drops three files in the Temp folder. These are detected as Troj/Agent-GXV, Troj/Agent-GXV and Mal/Behav-119. It also overwrites <System>\Drivers\Beep.sys. This file is detected as Troj/Agent-GXV.
Troj/Agent-GYS creates registry entries under the registry location:
HKCR\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}
Troj/Agent-GYS also creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop
sysfile
<Infected filename>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Shell
Rundll32.exe "<System>\shell32.dll",Control_RunDLL <infected file>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{E25C29AB-12B9-4523-A53C-324B5FBA648C}
""