Win32.Ntldrbot
| Added to Dr.Web® virus database: | 2008-05-06 12:01:49 |
News on Win32.Ntldrbot
Article on Win32.Ntldrbot
Virus Type: Malware, which spreads spam
Affected OS: Win NT-based
Size: 158K up to 424K
Technical Information
- Sophisticated polymorphic self-protection of the rootkit makes its extraction and
analysis extremely difficult.
- Implemented as a driver, it runs on the lowest kernel level.
- Has a self-protect function, prevents runtime changes.
- Uses active anti-debugging techniques: monitors setting hardware breakpoints
(DR-registers), disrupts operation of the kernel-level debuggers (e.g. Syser,
SoftIce). WinDbg debugger won’t work, if the rootkit is running.
- Intercepts the following system functions using non-standard method, such as:
NtCreateThread
NtDelayExecution
NtDuplicateObject
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtResumeThread
NtTerminateProcess
NtTerminateThread
NtWriteVirtualMemory
- Functions as a file-virus and infects system drivers.
A particular sample of the rootkit becomes adjusted to the hardware of an infected
machine and most likely won’t run on another computer.
- Utilizes time-triggered re-infection feature. An old infected file is cured. So the
rootkit «wonders» through system drivers infecting only one at a time.
- Filters calls to an infected file, intercepts FSD-procedures of a file system driver and
redirects a call to the original file instead of the infected one.
- Features anti-rootkit protection.
- Injects its library (DLL) to one of the Windows system processes, so the library starts
spamming. A driver is connected to the DLL using a special command transfer
mechanism.
System recovery recommendations
1. Disconnect your computer from local network and Internet.
2. Download Dr.Web CureIt! from known-pure computer which has an access to Internet.
3. Scan affected computer with Dr.Web CureIt!. Do action "Cure" for infected objects.
|
 |
My five cents
|
 |
| |
What is the screen size of your monitor?
|
 |
|
 |
|
 |
|
