Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Rootkit:W32/Agent.TZ


Aliases:

Rootkit:W32/Agent.TZ
Trojan-Clicker.Win32.VB.ath

Malware
Rootkit
W32

Summary

A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.



Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Agent.TZ creates the following device object and symbolic link so that Worm:W32/VB.KS (usermode) can open a handle to the driver.

  • \Device\hideproc
  • \DosDevices\hideproc

It processes the control code sent by Worm:W32/VB.KS so that its process will be hidden in the process list.It uses a Direct Kernel Object Manipulatin (DKOM) technique for hiding processes.









Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.