1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Rootkit:W32/Xanti.gen!A

Rootkit:W32/Xanti.gen!A

Name : Rootkit:W32/Xanti.gen!A
Category:Malware
Type:Rootkit
Platform:W32

Summary

A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.

Additional Details

Rootkit:W32/Xanti.gen!A is a Generic Detection that identifies malware attempting to create a device file on the computer named \Device\Beep.


About Generic Detections

Unlike signature or single-file detections, a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.


Installation

If the malware manages to run, it will create the following files:

  •   \SystemRoot\system32\cru629.dat
  •   \SystemRoot\cru629.dat
  •   \SystemRoot\system32\braviax.exe
  •   \SystemRoot\braviax.exe

The malware may also drop additional malicious programs onto the system:

  •   cru629.dat - Detected by Backdoor.Win32.Small.cbo, Trojan.Agent.AIER
  •   braviax.exe - Detected by Trojan-Clicker.Win32.Delf.akw, Trojan.Crypt.EQ

When one of the following processes are executed:

  •   winlogon.exe
  •   svchost.exe
  •   smss.exe
  •   csrss.exe

The malware will create the following launchpoints in the Windows Registry: 

  •  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
        Appinit_dlls = "cru629.dat"
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        braviax = "braviax.exe"

It also places hook to NtQuerySystemInformation.


Activity

Once installed, the malware monitors the following processes/drivers and prevents them from running:

  •  spdt.sys
  •  gmer.sys
  •  taskmon.sys
  •  kernelw.sys
  •  wowfx.dll
  •  pctfw2.sys
  •  symtdi.sys
  •  symevent.sys
  •  fltmgr.sys
  •  bmbemuhl
  •  ip6fw.sys
  •  fmtr.sys
  •  sdhelper.dll
  •  wincom32.sys
  •  rdriv.sys
  •  mpfirewall.sys
  •  sandbox.sys
  •  filtnt.sys
  •  bc_tdi_f.sys
  •  bc_prt_f.sys
  •  bc_pat_f.sys
  •  bc_ngn.sys
  •  bc_ip_f.sys
  •  bc_hassh_f.sys
  •  bcftdi.sys
  •  bcfilter.sys
  •  watchdog.sys
  •  vsdatant.sys
  •  kmd.exe
  •  winavxx.exe
  •  bolenjx.exe
  •  bolenja.exe
  •  rootkit_detektive.exe
  •  autoruns.exe
  •  vundofix.exe
  •  trjscan.exe
  •  tpsrv.exe
  •  thguard.exe
  •  symwsc.exe
  •  superantispyware.exe
  •  spyblock.dll
  •  spbbcsvc.exe
  •  sndsrvc.exe
  •  sndmon.exe
  •  sdtrayapp.exe
  •  sbserv.exe
  •  pskmssvc.exe
  •  psimsvc.exe
  •  pshost.exe
  •  psctrls.exe
  •  pifsvc.exe
  •  pavsrv51.exe
  •  pavprsrv.exe
  •  lucoms~1.exe
  •  lsetup.exe
  •  ccsvchst.exe
  •  ccproxy.exe
  •  avengine.exe
  •  avciman.exe
  •  ashwebsv.exe
  •  ashserv.exe
  •  ashmaisv.exe
  •  apvxdwin.exe
  •  appsvc32.exe
  •  aluschedulersvc.exe
  •  gmer.exe
  •  killbox.exe
  •  avgupsvc.exe
  •  avgamsvr.exe
  •  avgw.exe
  •  avgcc.exe
  •  msmpeng.exe
  •  printer.exe
  •  svcntaux.exe
  •  swdsvc.exe
  •  avgas.exe
  •  symlcsvc.exe
  •  fwservice.exe
  •  prevxcsi.exe
  •  navilog
  •  navapsvc.exe
  •  globkill.exe
  •  dss.exe
  •  procmast.exe
  •  combo.exe
  •  defwatch.exe
  •  ccsetmgr.exe
  •  ccpwdsvc.exe
  •  sdfix.exe
  •  zcomservice.exe
  •  zcodec.exe
  •  zclient.exe
  •  spywaredetector.exe
  •  spybotsd.exe
  •  spybot.exe
  •  savscan.exe
  •  sandboxieserver.exe
  •  rtvscan.exe
  •  pboptions.exe
  •  pbcpl.exe
  •  pavfnsvr.exe
  •  overspy.exe
  •  overseer.exe
  •  op_mon.exe
  •  outpost.exe
  •  ofcdog.exe
  •  nvctrl.exe
  •  nsmdtr.exe
  •  nortonupdate.exe
  •  nod32ra.exe
  •  nod32krn.exe
  •  no32mon.exe
  •  nlsupervisorpro.exe
  •  njexplor.exe
  •  nisum.exe
  •  navw32.exe
  •  navstub.exe
  •  navapp.exe
  •  myvideodaily2.exe
  •  mwsoemon.exe
  •  msssrv.exe
  •  mcshield.exe
  •  malswep.exe
  •  malscr.exe
  •  magiclink.exe
  •  lsass32.exe
  •  lsasrv.exe
  •  livesrv.exe
  •  little_helper2.exe
  •  kpf4ss.exe
  •  klswd.exe
  •  klpf.exe
  •  kavsvc.exe
  •  kavss.exe
  •  kav.exe
  •  issvc.exe
  •  isnotify.exe
  •  ismini.exe
  •  inetupd.exe
  •  icmon.exe
  •  iao.exe
  •  hwpe2.exe
  •  hitvirus.exe
  •  hijackthis
  •  hbtoeaddon.exe
  •  hackmon.exe
  •  gcasserv.exe
  •  gcasdtserv.exe
  •  fsm32.exe
  •  fsbl.exe
  •  fsav32.exe
  •  fatbuster.exe
  •  farsighter.exe
  •  f-stopw.exe
  •  f-sched.exe
  •  eyetidecontroller.exe
  •  dsentry.exe
  •  cureit.exe
  •  crypserv.exe
  •  cpf.exe
  •  cpd.exe
  •  comboxfix.exe
  •  combofix
  •  ccpxysvc.exe
  •  ccimscan.exe
  •  ccevtmgr.exe
  •  ccapp.exe
  •  cavtray.exe
  •  cavrid.exe
  •  bdss.exe
  •  bdmcon.exe
  •  avz.exe
  •  avsched32.exe
  •  avpm.exe
  •  avp.exe
  •  avpcc.exe
  •  avgemc.exe
  •  avgagent.exe