|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Rootkit:W32/Agent.UG

|
|
|
| Radar |
 |
|
|
|
Summary
|
| A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system. |
|
|
|
Additional Details
|
This rootkit will execute on the following operating systems:
- Windows 2000
- Windows XP
- Windows 2003
- Windows Vista
- Windows Vista SP1
It removes the hooked addresses corresponding to the following NT Functions (which are implemented in Ntoskrnl.exe), then restores them to their original values:
- NtProtectVirtualMemory
- NtOpenThread
- NtTerminateThread
- NtCreatePort
- NtConnectPort
- NtCreateKey
- NtAdjustPrivilegesToken
- NtCreateFile
- NtWriteVirtualMemory
- NtOpenProcess
- NtCreateProcess
- NtCreateProcessEx
- NtCreateSection
- NtCreateThread
- NtDeleteKey
- NtDeleteValueKey
- NtDuplicateObject
- NtEnumerateKey
- NtEnumerateValueKey
- NtLoadDriver
- NtLoadKey
- NtLoadKey2
- NtNotifyChangeKey
- NtOpenFile
- NtOpenKey
- NtOpenSection
- NtQueryKey
- NtQueryMultipleValueKey
- NtQueryValueKey
- NtReplaceKey
- NtRestoreKey
- NtResumeThread
- NtSaveKey
- NtSetContextThread
- NtSetInformationFile
- NtSetInformationKey
- NtSetSystemInformation
- NtSetValueKey
- NtSuspendThread
- NtSystemDebugControl
- NtTerminateProcess
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: September 22, 2008
|
|
|
|
|