| View previous topic :: View next topic |
| Author |
Message |
Prince_Serendip
Site Moderator
Joined: Sep 07, 2002
Posts: 17304
|
 Posted: Sun Nov 26, 2006 8:21 pm Post subject: RED ALERT: New Rootkits in the Wild |
|
|
From time to time (and more often lately) we've been getting reports and alerts about new rootkits and trojan-rootkits. This is the place to post them. Later we can correlate them to actual fixes. Thanks.
**As these alerts may come from various sources, we are not endorsing any commercial products, simply reporting the facts.
_________________
Microsoft MVP Consumer Security 2006, 2007 & 2008
|
|
| Back to top |
|
 |
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Sun Nov 26, 2006 10:19 pm Post subject: Troj/NtRootK-AX |
|
|
Troj/NtRootK-AX
Type * Trojan
Protection available since 26 November 2006 16:30:49 (GMT)
Troj/NtRootK-AX is a backdoor Trojan with rootkit functionality. When run Troj/NtRootK-AX creates a service with a name identical to the base filename of the Trojan file.
Troj/NtRootK-AX installs two drivers, xHide.sys and GxNdisHook.sys. The purpose of the drivers is to hide the presence of malicious files, registry entries and TCP ports used by malware.
Troj/NtRootK-AX provides the attacker with an interface for the remote control over the machine.
Recovery:
You can detect and remove this rootkit using Sophos Anti-Rootkit.
http://www.sophos.com/security/analyses/trojntrootkax.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Sun Dec 10, 2006 5:03 pm Post subject: Troj/NTRootK-AY |
|
|
Name Troj/NTRootK-AY
Type Trojan
Side effects Reduces system security
Dropped by malware
Troj/NTRootK-AY is a Trojan for the Windows platform.
The Trojan may use stealth techniques in order to hide files, processes and registry entries.
Troj/NTRootK-AY may be installed by other malware.
http://www.sophos.com/virusinfo/analyses/trojntrootkay.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Sun Dec 10, 2006 5:07 pm Post subject: Troj/NTRootK-AZ |
|
|
Name Troj/NTRootK-AZ
Type Trojan
Side effects Reduces system security
Dropped by malware
Troj/NTRootK-AZ is a Trojan for the Windows platform.
The Trojan may use stealth techniques in order to hide files, processes and registry entries.
Troj/NTRootK-AZ may be installed by other malware.
http://www.sophos.com/virusinfo/analyses/trojntrootkaz.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Wed Dec 13, 2006 4:34 pm Post subject: Troj/NTRootK-BA |
|
|
Name Troj/NTRootK-BA
Type Trojan
Affected operating systems Windows
Troj/NTRootK-BA is a rootkit for the Windows platform that also sets the internet explorer startpage.
http://www.sophos.com/security/analyses/trojntrootkba.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
quietman7
1st Responder Mentor
1st Responder Mentor
Joined: Sep 30, 2004
Posts: 3564
Location: Virginia, USA
|
| Posted: Sun Dec 31, 2006 5:19 pm Post subject: |
|
|
Anti Rootkit - Stealth Malware List (the rootkits are listed in order of find date)
http://www.antirootkit.com/rootkit-list.htm
_________________
"THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2008 
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Wed Jan 03, 2007 4:17 pm Post subject: Troj/NTRootK-BB |
|
|
Name Troj/NTRootK-BB
Type Trojan
Affected operating systems Windows
Troj/NTRootK-BB is a Rootkit for the Windows platform.
Troj/NTRootK-BB stealths files and processes, so they cannot be easily found, or removed.
http://www.sophos.com/virusinfo/analyses/trojntrootkbb.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Tue Jan 09, 2007 4:07 pm Post subject: Troj/NTRootK-BC |
|
|
Type Trojan
Troj/NTRootK-BC is a rootkit for the Windows platform.
Troj/NTRootK-BC can stealth files and registry entries.
http://www.sophos.com/virusinfo/analyses/trojntrootkbc.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Wed Jan 17, 2007 7:04 am Post subject: Troj/Agent-DZY |
|
|
Troj/Agent-DZY
Aliases TSPY_LEGMIR.AOS
Rootkit.Win32.Agent.dc
Type Trojan
Protection available since 17 January 2007 06:01:18 (GMT)
Troj/Agent-DZY is a DLL component helper Trojan for the Windows platform.
Once installed, Troj/Dropper-MZ may create the file <System>\drivers\KWatch1.sys. The file KWatch1.sys is also detected as Troj/Agent-DZY.
Troj/Agent-DZY also installs the file KWatch1.sys as a service "KWatch1" and creates registry entries under:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KWATCH1\
http://www.sophos.com/virusinfo/analyses/trojagentdzy.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Fri Jan 26, 2007 4:07 pm Post subject: Troj/NTRootK-BD |
|
|
Troj/NTRootK-BD
Type
* Trojan
Troj/NTRootK-BD is a Trojan for the Windows platform.
Troj/NTRootK-BD contains functionality to hide or 'stealth' itself from the operating system. This stealthing may also extend to other files with which it is associated.
It may result in files, processes and registry entries being invisible to the user.
http://www.sophos.com/virusinfo/analyses/trojntrootkbd.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Tue Jan 30, 2007 7:13 am Post subject: Troj/NTRootK-BE |
|
|
Troj/NTRootK-BE
Type Trojan
Affected operating systems Windows
Side effects Reduces system security
Aliases Trojan-PSW.Win32.Small.bs
Win32/PSW.Small.NAJ
Infostealer.Snifula.B
TROJ_SMALL.EME
Troj/NTRootK-BE is a kernel-mode driver rootkit for the Windows platform.
Troj/NTRootK-BE is capable of hiding information about certain processes, files and registry entries passed to it by another program.
http://www.sophos.com/virusinfo/analyses/trojntrootkbe.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Thu Feb 01, 2007 4:20 pm Post subject: Troj/Agent-EBK |
|
|
Type Spyware Trojan
Aliases Backdoor.Win32.PcClient.tl
Backdoor.Win32.PcClient.pq
BackDoor-CKB.dr
New
Troj/Agent-EBK is a keylogging Trojan with rootkit functionality.
Troj/Agent-EBK is a keylogging Trojan with rootkit functionality.
When Troj/Agent-EBK is first installed, it creates the files
<System>\Ygyfrmrh.d1l
<System>\Ygyfrmrh.dll
<System>\Ygyfrmrh.sys
These files are also detected as Troj/Agent-EBK.
Ygyfrmrh.sys is installed as a system driver, providing stealth functionality in order to hide all three of the installed files.
Troj/Agent-EBK monitors keyboard activity and periodically sends all logged keypresses to a remote location via HTTP forms.
http://www.sophos.com/virusinfo/analyses/trojagentebk.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Fri Feb 02, 2007 6:33 am Post subject: Hacktool.Unreal.A |
|
|
Hacktool.Unreal.A
Discovered: February 1, 2007
Updated: February 1, 2007 05:08:10 PM PST
Type: Trojan Horse
Infection Length: 66,656 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Hacktool.Unreal.A is a proof of concept stealth rootkit that is designed to be invisible to all current rootkit detection technologies.
Hacktool.Unreal.A arrives as the following file:
unreal.exe - installer
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-020111-4820-99&tabid=2
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Sun Feb 18, 2007 7:38 am Post subject: Troj/Rootkit-BD |
|
|
Troj/Rootkit-BD
Type * Trojan
Aliases
* Rootkit.Win32.Delf.e
* Win32/Rootkit.Delf.E
Troj/Rootkit-BD is a Trojan for the Windows platform.
Troj/Rootkit-BD contains the functionality to intercept various system API calls to provide stealthing.
http://www.sophos.com/virusinfo/analyses/trojrootkitbd.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
Marianna
Security Expert
Premium Member
Joined: Nov 05, 2003
Posts: 11725
|
| Posted: Thu Feb 22, 2007 6:14 am Post subject: Troj/Rootkit-BF |
|
|
Troj/Rootkit-BF
Type Trojan
Affected operating systems Windows
Side effects Modifies data on the computer
Troj/Rootkit-BF is a rootkit for the Windows platform.
http://www.sophos.com/security/analyses/trojrootkitbf.html
_________________
"Wisdom is not a product of schooling but of the life-long attempt to acquire it."
- Albert Einstein (1879-1955)
Microsoft MVP - Consumer Security 2006 - 2008
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
