F-Secure
Tools
Rootkit
| Name : | Rootkit |
| Category: | Malware |
| Type: | Rootkit |
| Platform: | W32 |
Summary
Rootkit (Generic Description)
Rootkit is usually a standalone sofware component that attempts
to hide processes, files, registry data and network connections.
Rootkits are typically not malicious by themselves but are used
for malicious purposes by viruses, worms, backdoors and spyware.
A virus combined with a rootkit produces what was known as full
stealth viruses in the MS-DOS environment.
Typically rootkit functionality is achieved by using kernel-mode
driver. In this scenario, malware drops a driver file on disk
and loads it in kernel space. Once loaded, the driver is instructed
to hide the malicious actions. Some rootkits can also operate from
user mode. It this case, the malware usually drops a DLL file
on disk and loads it in all processes. In rare cases, the rootkit
doesn't need any external files to operate.
Examples of pure rootkits are Hacker Defender and FU. Some
spyware/adware programs such as EliteToolbar, ProAgent, and Probot
SE also use rootkit techiques. Some Trojans such as Haxdoor,
Berbew/Padodor and Feutel/Hupigon, and also some worms e.g. Myfip.h
and the Maslan-family can also utilize rookit functions.
Rootkit is usually a standalone sofware component that attempts
to hide processes, files, registry data and network connections.
Rootkits are typically not malicious by themselves but are used
for malicious purposes by viruses, worms, backdoors and spyware.
A virus combined with a rootkit produces what was known as full
stealth viruses in the MS-DOS environment.
Typically rootkit functionality is achieved by using kernel-mode
driver. In this scenario, malware drops a driver file on disk
and loads it in kernel space. Once loaded, the driver is instructed
to hide the malicious actions. Some rootkits can also operate from
user mode. It this case, the malware usually drops a DLL file
on disk and loads it in all processes. In rare cases, the rootkit
doesn't need any external files to operate.
Examples of pure rootkits are Hacker Defender and FU. Some
spyware/adware programs such as EliteToolbar, ProAgent, and Probot
SE also use rootkit techiques. Some Trojans such as Haxdoor,
Berbew/Padodor and Feutel/Hupigon, and also some worms e.g. Myfip.h
and the Maslan-family can also utilize rookit functions.
Disinfection
Rootkit detection
If the rootkit is not detected or it is hidden so that FSAV cannot
detect its file, it is still possible to detect the malicious activity
by scanning the system with generic rootkit scanner, such as
F-Secure BlackLight. More information about F-Secure BlackLight Rootkit
Elimination Technology can be found here:
http://www.f-secure.com/blacklight/
Automatic Disinfection
If the rootkit file is detected, it is automatically removed by
F-Secure Anti-Virus (FSAV) starting from version 5.40. Malware files
get automatically renamed by FSAV, so they can not be started any
more. In some rare cases, when automatic disinfection is not possible,
a user can select disinfection action by him/herself to make FSAV
rename or delete an infected file. In some special cases it is
recommended to use specific disinfection tools provided by F-Secure.
They can be downloaded from our ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our webshop or from our
authorised distributors. A trial version F-Secure Anti-Virus,
limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database
updates automatically. However, these updates can be also
downloaded and installed manually from our web or ftp sites:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
To manually disinfect standalone malware (backdoors, worms,
trojans, etc.) it's usually enough to delete all infected files
from a computer and to restart it. Active malware files are
usually locked by operating system so different disinfection
approaches are required for different operating systems.
Please note that manual disinfection is a risky process, so it is
recommended only for advanced users.
Windows 95, 98, ME
If Windows 9x operating system is used, it is recommended to
restart a computer from a bootable system diskette and to delete
an infected file from command prompt. For example if a malicious
file named ABC.EXE is located in Windows folder, it is usually
enough to type the following command at command prompt:
DEL C:\WINDOWS\ABC.EXE
and to press Enter. After that an infected file will be gone.
Windows NT, 2000, XP
If Windows NT, 2000 or XP is used, a malicious file has to be
renamed with a different extension (for example .VIR) and then a
system has to be restarted. After restart a renamed malicious
file will no longer be active and it can be easily deleted
manually.
System Restore issue
If Windows ME or XP is used, it is recommended to disable System
Restore feature of these operating systems to prevent a computer
from re-infection by an already removed malware. The fact is that
System Restore feature of these operating systems might save an
infected file into the special folder and copy it back to a hard
drive it every time it's been renamed or deleted by F-Secure
Anti-Virus or by a user. Instructions on how to disable System
Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection
in order to restore stable system configuration in the future,
if any crash or incompatibility issue occurs.
Contacting F-Secure for help
If you have problems with disinfection, please consult a computer
technician or send a message (and a sample) to our Viruslab. We
have guidelines for sending virus samples, hoaxes and
virus-related questions to F-Secure Viruslab published here:
http://support.f-secure.com/enu/home/virusproblem/sample/