F-Secure
Tools
Rootkit:W32/Agent.TZ
Summary
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.
Additional Details
Agent.TZ creates the following device object and symbolic link so that Worm:W32/VB.KS (usermode) can open a handle to the driver.
It processes the control code sent by Worm:W32/VB.KS so that its process will be hidden in the process list.
It uses a Direct Kernel Object Manipulatin (DKOM) technique for hiding processes.
- \Device\hideproc
- \DosDevices\hideproc
It processes the control code sent by Worm:W32/VB.KS so that its process will be hidden in the process list.
It uses a Direct Kernel Object Manipulatin (DKOM) technique for hiding processes.