Summary
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.
Disinfection & Removal
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Technical Details
This rootkit will execute on the following operating systems:
- Windows 2000
- Windows XP
- Windows 2003
- Windows Vista
- Windows Vista SP1
It removes the hooked addresses corresponding to the following NT Functions (which are implemented in Ntoskrnl.exe), then restores them to their original values:
- NtProtectVirtualMemory
- NtOpenThread
- NtTerminateThread
- NtCreatePort
- NtConnectPort
- NtCreateKey
- NtAdjustPrivilegesToken
- NtCreateFile
- NtWriteVirtualMemory
- NtOpenProcess
- NtCreateProcess
- NtCreateProcessEx
- NtCreateSection
- NtCreateThread
- NtDeleteKey
- NtDeleteValueKey
- NtDuplicateObject
- NtEnumerateKey
- NtEnumerateValueKey
- NtLoadDriver
- NtLoadKey
- NtLoadKey2
- NtNotifyChangeKey
- NtOpenFile
- NtOpenKey
- NtOpenSection
- NtQueryKey
- NtQueryMultipleValueKey
- NtQueryValueKey
- NtReplaceKey
- NtRestoreKey
- NtResumeThread
- NtSaveKey
- NtSetContextThread
- NtSetInformationFile
- NtSetInformationKey
- NtSetSystemInformation
- NtSetValueKey
- NtSuspendThread
- NtSystemDebugControl
- NtTerminateProcess
Submit a sample
Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)
F-Secure Community
Give advice. Get advice. Share the knowledge on our free discussion forum.