CastleCops® RED ALERT: New Rootkits in the Wild

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

RED ALERT: New Rootkits in the Wild
Goto page Previous 1, 2, 3, 4, 5, 6, 7

All -> FavForums -> Rootkit Revelations

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Mon May 19, 2008 3:36 pm Post subject: Troj/NtRootK-DI

Troj/NtRootK-DI Category Viruses and Spyware Type Rootkit Troj/NtRootK-DI is a rootkit Trojan for the Windows platform Protection available since 19 May 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkdi.html?_log_from=rss _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Wed May 21, 2008 2:59 pm Post subject: Troj/NtRootK-DJ

Troj/NtRootK-DJ Category Viruses and Spyware Type Rootkit Troj/NtRootK-DJ is a rootkit Trojan for the Windows platform. Protection available since 21 May 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkdj.html?_log_from=rss _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Thu May 22, 2008 5:28 am Post subject: Troj/NtRootK-DK

Troj/NtRootK-DK Category Viruses and Spyware Type Rootkit Troj/NtRootK-DK is a rootkit Trojan for the Windows platform. Protection available since 22 May 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkdk.html _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Fri May 23, 2008 5:49 am Post subject: Troj/NtRootK-DM

Troj/NtRootK-DM Category Viruses and Spyware Type Rootkit Troj/NtRootK-DM is a rootkit for the Windows platform. Protection available since 23 May 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkdm.html _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Fri May 23, 2008 2:34 pm Post subject: Troj/NtRootK-DN

Troj/NtRootK-DN Category Viruses and Spyware Type Rootkit Troj/NtRootK-DN is a rootkit Trojan for the Windows platform. Affected operating systems Windows http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkdn.html _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Fri May 23, 2008 2:43 pm Post subject: Troj/Rootkit-CO

Troj/Rootkit-CO Category Viruses and Spyware Type Trojan Troj/Rootkit-CO is a rootkit Trojan for the Windows platform. Troj/Rootkit-CO may be installed by other malware, and is known to be copied over the existing <System>\drivers\vga.sys file. Protection available since 23 May 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojrootkitco.html _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Tue May 27, 2008 5:01 am Post subject: Troj/Rootkit-CP

Troj/Rootkit-CP Category Viruses and Spyware Type Rootkit Affected operating systems Windows Protection available since 27 May 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojrootkitcp.html?_log_from=rss _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Sat May 31, 2008 8:13 pm Post subject: Troj/RootKit-CQ

Troj/RootKit-CQ Category Viruses and Spyware Type Trojan Troj/RootKit-CQ is a stealthing rookit Trojan with keylogging functionality for the Windows platform. When run the Trojan will drop a stealthing kernel driver and a DLL to the Windows system folder, which it will install as a service by modifying the following Netman registry entry: HKLM\System\CurrentControlSet\Services\Netman\Parameters ServiceDll <System>\suddec.dll Affected operating systems Windows Characteristics Installs itself in the registry Protection available since 31 May 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojrootkitcq.html _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

AplusWebMaster

General

Joined: Mar 14, 2004
Posts: 4802
Location: USA

Posted: Sun Jun 01, 2008 3:41 pm Post subject:

FYI... DHS PDF - /p1094898-Targeted_attacks_escape_detection.html#1094898 June 1, 2008 - "... 'Looks like a Department of Homeland Security form G-325A. Look again... The SYS component is a -rootkit- that tries to hide all this activity on the infected machine. The backdoor tries to connect to port 80 of a host called nbsstt .3322 .org. Anybody operating this machine would have full access to the infected machine..." _________________ AplusWebMaster ~ Are you up to date or vulnerable to Hackers? ...or both? .

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Thu Jun 05, 2008 2:32 pm Post subject: Troj/NtRootK-DO

Troj/NtRootK-DO Category Viruses and Spyware Type Rootkit Troj/NtRootK-DO is a rootkit Trojan for the Windows platform. Protection available since 5 June 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkdo.html?_log_from=rss _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Fri Jun 06, 2008 4:33 am Post subject: W32/Tdibd-C

W32/Tdibd-C Category Viruses and Spyware Type Rootkit W32/Tdibd-C is a multi-component rootkit worm for the Windows platform. When run W32/Tdibd-C creates the following files: <System>\_tdiserv_\autorun.inf - detected as W32/Tdibd-C <System>\_tdiserv_\setup.exe - detected as W32/Tdibd-C <System>\_tdiserv_\reckey.dll - detected as W32/Tdibd-C <System>\_tdiserv_\tdiupdate.sys - detected as W32/Tdibd-C <System>\_tdiserv_\_tdicli_.exe - detected as W32/Tdibd-C <System>\_tdiserv_\config.dat - non-malicious and can be safely deleted <System>\_tdiserv_\guid.txt - non-malicious and can be safely deleted W32/Tdibd-C also creates the following folders: <System>\_tdiserv_\CacheFile <System>\_tdiserv_\SendFile W32/Tdibd-C sets the following registry entry to run <System>\_tdiserv_\_tdicli_.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run _tdiserv_ <System>\_tdiserv_\_tdicli_.exe When run W32/Tdibd-C installs the rootkit <System>\_tdiserv_\tdiupdate.sys as a Windows service with the name "_tdiserv_HOOK" and a description of "TdiHook Update Driverr" and a startup of automatic. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__TDISERV_HOOK\ HKLM\SYSTEM\CurrentControlSet\Services\_tdiserv_HOOK\ W32/Tdibd-C also spreads via removable drives by copying itself to <Root>\ms.config\setup.exe and creating the file <Root>\autorun.inf. The file <Root>\autorun.inf (also detected as W32/NTRootK-CD) is designed to run the worm when the removable drive is connected to an uninfected computer. W32/Tdibd-C uses the file <System>\_tdiserv_\reckey.dll to record keystrokes and mouse movements, storing the information to files under: <System>\_tdiserv_\CacheFile <System>\_tdiserv_\SendFile Last updated 6 June 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/w32tdibdc.html?_log_from=rss _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Fri Jun 06, 2008 2:14 pm Post subject: Troj/NtRootK-DP

Troj/NtRootK-DP Category Viruses and Spyware Type Rootkit Troj/NtRootK-DP is a rootkit Trojan for the Windows platform. Protection available since 6 June 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkdp.html _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

negster22

Security Expert
Premium Member

Joined: Mar 10, 2004
Posts: 5394

Posted: Sun Jun 08, 2008 7:09 pm Post subject:

Rustock.C Analysis: http://www.rootkit.com/newsread.php?newsid=879 _________________ Negster22 - MS MVP - Consumer Security 2006-2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Wed Jul 16, 2008 5:33 am Post subject: Troj/Rootkit-DA

Troj/Rootkit-DA Category * Viruses and Spyware Type * Rootkit Troj/Rootkit-DA copies itself to <System>\lanmanwrk.exe. Troj/Rootkit-DA drops the file <System>\lanmandrv.sys which is also detected as Troj/Rootkit-DA. Troj/Rootkit-DA registers itself as lanmandrv service. Troj/Rootkit-DA creates the registry entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion Run <System>\lanmanwrk.exe clean Troj/Rootkit-DA contains stealth functionality to hide its files, processes, and registry entries. Protection available since 15 July 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojrootkitda.html?_log_from=rss _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

Marianna

Security Expert
Premium Member

Joined: Nov 05, 2003
Posts: 11730

Posted: Wed Jul 16, 2008 5:35 am Post subject: Troj/Rootkit-DB

Troj/Rootkit-DB Category * Viruses and Spyware Type * Rootkit Troj/Rootkit-DB intercepts network traffic to and from the computer. Troj/Rootkit-DB copies itself to <System>\userinit.exe. It renames the original userinit.exe to sdjeavd.tmp. Protection available since 15 July 2008 http://www.sophos.com/security/analyses/viruses-and-spyware/trojrootkitdb.html?_log_from=rss _________________ "Wisdom is not a product of schooling but of the life-long attempt to acquire it." - Albert Einstein (1879-1955) Microsoft MVP - Consumer Security 2006 - 2008

	All -> FavForums -> Rootkit Revelations	All times are GMT Goto page Previous 1, 2, 3, 4, 5, 6, 7
Page 7 of 7

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 117ppm 0.304s (0.056s) Making cybercriminals unhappy since 2002*