Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named "services.exe". The payload is a Spamtool with backdoor capabilities.
To remove the infection, perform the following steps:
- Reboot your system using the Windows Recovery Console (using your Windows installation CD - click on the hyperlink for details).
- Copy a non-executable file from the Windows directory over the Alternate Data Stream.
- copy c:\windows\win.ini c:\windows\system32:18467
Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.
Installation to the system
Mailbot.AZ is usually installed to the system by a separate dropper component, detected as Trojan-Dropper.Win32.Small.ape. When the dropper is executed, it drops the rootkit driver to %TEMP%\pe386.sys and runs it. After installation, the dropper deletes itself from the system.
When the rootkit driver is executed, it creates a copy of itself to an Alternate Data Stream - %SystemRoot%\system32:[random_number]. However, since the code does not seed the pseudorandom-number generator (code bug), the alternate data stream is always created as:
If the file system does not support Alternate Data Streams, the driver is installed to:
To survive reboot the rootkit adds the following launch point to the registry:
with the following values:
- DisplayName = Win23 PE files loader
- ImagePath = \SystemRoot\System32:18467 or
- ImagePath = \SystemRoot\System32\Drivers\pe386.sys
The registry settings make sure the driver is started very early in the boot process and it also run in safe mode. Kernel-mode payload: The rootkit takes control over the System Service Dispatcher by hooking INT 0x2E and IA32_SYSENTER_EIP MSR handler functions. A thread trying to execute any of the following system service functions will be redirected to a modified version:
These functions are hooked to hide registry keys and values used by the rootkit, and to avoid detection by certain rootkit detection software. The rootkit hooks two IRP handler functions from the driver object responsible for the file system. In the case of NTFS, it hooks the following handler functions from NTFS driver object:
In the case of FAT, it hooks the following handler functions from Fastfat driver object:
These handler functions are hooked to hide the file or deny access to the alternate data stream. The rootkit hooks the following IRP handler functions from the Tcpip driver object:
One purpose for these hooks is to hide any network connections initiated by the user-mode payload. The rootkit installs a notification routine for process creation. It modifies the behavior of some hooks if any of the following strings are present in loaded image's resources section:
The rootkit driver tries to make its detection harder by performing the following "tricks":
- Executes from dynamically allocated memory
- Removes the driver from the loaded modules list
- Removes the driver object from the Object Manager
- Deletes its legacy key and any subkeys from the registry
- Removes its service entry from the Service Control Manager
User-mode Payload: The driver file contains a user-mode DLL in an encrypted format. After the driver has initialized, it will extract the DLL from the file into dynamically allocated memory, maps the memory to the address space of services.exe, and prepares the mapped image for execution. Then, it queues an Asynchronous Procedure Call for services.exe to execute it in its context. The DLL is a spamtool with backdoor capabilities.
F-Secure Anti-Virus detects this malware with the following updates: