Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Rootkit:W32/Xanti.gen!A


Aliases:


Rootkit:W32/Xanti.gen!A

Malware
Rootkit
W32

Summary

A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Rootkit:W32/Xanti.gen!A is a Generic Detection that identifies malware attempting to create a device file on the computer named \Device\Beep.


About Generic Detections

Unlike signature or single-file detections, a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware. InstallationIf the malware manages to run, it will create the following files:

  • \SystemRoot\system32\cru629.dat
  • \SystemRoot\cru629.dat
  • \SystemRoot\system32\braviax.exe
  • \SystemRoot\braviax.exe

The malware may also drop additional malicious programs onto the system:

  • cru629.dat - Detected by Backdoor.Win32.Small.cbo, Trojan.Agent.AIER
  • braviax.exe - Detected by Trojan-Clicker.Win32.Delf.akw, Trojan.Crypt.EQ

When one of the following processes are executed:

  • winlogon.exe
  • svchost.exe
  • smss.exe
  • csrss.exe

The malware will create the following launchpoints in the Windows Registry:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Appinit_dlls = "cru629.dat"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run braviax = "braviax.exe"

It also places hook to NtQuerySystemInformation.


Activity

Once installed, the malware monitors the following processes/drivers and prevents them from running:

  • spdt.sys
  • gmer.sys
  • taskmon.sys
  • kernelw.sys
  • wowfx.dll
  • pctfw2.sys
  • symtdi.sys
  • symevent.sys
  • fltmgr.sys
  • bmbemuhl
  • ip6fw.sys
  • fmtr.sys
  • sdhelper.dll
  • wincom32.sys
  • rdriv.sys
  • mpfirewall.sys
  • sandbox.sys
  • filtnt.sys
  • bc_tdi_f.sys
  • bc_prt_f.sys
  • bc_pat_f.sys
  • bc_ngn.sys
  • bc_ip_f.sys
  • bc_hassh_f.sys
  • bcftdi.sys
  • bcfilter.sys
  • watchdog.sys
  • vsdatant.sys
  • kmd.exe
  • winavxx.exe
  • bolenjx.exe
  • bolenja.exe
  • rootkit_detektive.exe
  • autoruns.exe
  • vundofix.exe
  • trjscan.exe
  • tpsrv.exe
  • thguard.exe
  • symwsc.exe
  • superantispyware.exe
  • spyblock.dll
  • spbbcsvc.exe
  • sndsrvc.exe
  • sndmon.exe
  • sdtrayapp.exe
  • sbserv.exe
  • pskmssvc.exe
  • psimsvc.exe
  • pshost.exe
  • psctrls.exe
  • pifsvc.exe
  • pavsrv51.exe
  • pavprsrv.exe
  • lucoms~1.exe
  • lsetup.exe
  • ccsvchst.exe
  • ccproxy.exe
  • avengine.exe
  • avciman.exe
  • ashwebsv.exe
  • ashserv.exe
  • ashmaisv.exe
  • apvxdwin.exe
  • appsvc32.exe
  • aluschedulersvc.exe
  • gmer.exe
  • killbox.exe
  • avgupsvc.exe
  • avgamsvr.exe
  • avgw.exe
  • avgcc.exe
  • msmpeng.exe
  • printer.exe
  • svcntaux.exe
  • swdsvc.exe
  • avgas.exe
  • symlcsvc.exe
  • fwservice.exe
  • prevxcsi.exe
  • navilog
  • navapsvc.exe
  • globkill.exe
  • dss.exe
  • procmast.exe
  • combo.exe
  • defwatch.exe
  • ccsetmgr.exe
  • ccpwdsvc.exe
  • sdfix.exe
  • zcomservice.exe
  • zcodec.exe
  • zclient.exe
  • spywaredetector.exe
  • spybotsd.exe
  • spybot.exe
  • savscan.exe
  • sandboxieserver.exe
  • rtvscan.exe
  • pboptions.exe
  • pbcpl.exe
  • pavfnsvr.exe
  • overspy.exe
  • overseer.exe
  • op_mon.exe
  • outpost.exe
  • ofcdog.exe
  • nvctrl.exe
  • nsmdtr.exe
  • nortonupdate.exe
  • nod32ra.exe
  • nod32krn.exe
  • no32mon.exe
  • nlsupervisorpro.exe
  • njexplor.exe
  • nisum.exe
  • navw32.exe
  • navstub.exe
  • navapp.exe
  • myvideodaily2.exe
  • mwsoemon.exe
  • msssrv.exe
  • mcshield.exe
  • malswep.exe
  • malscr.exe
  • magiclink.exe
  • lsass32.exe
  • lsasrv.exe
  • livesrv.exe
  • little_helper2.exe
  • kpf4ss.exe
  • klswd.exe
  • klpf.exe
  • kavsvc.exe
  • kavss.exe
  • kav.exe
  • issvc.exe
  • isnotify.exe
  • ismini.exe
  • inetupd.exe
  • icmon.exe
  • iao.exe
  • hwpe2.exe
  • hitvirus.exe
  • hijackthis
  • hbtoeaddon.exe
  • hackmon.exe
  • gcasserv.exe
  • gcasdtserv.exe
  • fsm32.exe
  • fsbl.exe
  • fsav32.exe
  • fatbuster.exe
  • farsighter.exe
  • f-stopw.exe
  • f-sched.exe
  • eyetidecontroller.exe
  • dsentry.exe
  • cureit.exe
  • crypserv.exe
  • cpf.exe
  • cpd.exe
  • comboxfix.exe
  • combofix
  • ccpxysvc.exe
  • ccimscan.exe
  • ccevtmgr.exe
  • ccapp.exe
  • cavtray.exe
  • cavrid.exe
  • bdss.exe
  • bdmcon.exe
  • avz.exe
  • avsched32.exe
  • avpm.exe
  • avp.exe
  • avpcc.exe
  • avgemc.exe
  • avgagent.exe






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.