Detect Date | 07/15/2010 |
Class | Worm |
Platform | Win32 |
Description |
Using the driver: %System%driversmrxnet.sys The rootkit connects as a driver filter to the following file system arrangements: FileSystemntfs FileSystemfastfat FileSystemcdfs and thereby obtains control of the infected computer’s file system. The rootkit hides files with names like this: ~WTR<rnd>.tmp where <rnd> is a random four-digit number, e.g.: ~WTR4132.tmp ~WTR4141.tmp It also hides files with the extension LNK and a file size equal to 4171 bytes. The rootkit file has a Realtek Semiconductor Corp digital signature. It contains the following string: b:myrtussrcobjfre_w2k_x86i386guava.pdb Using the driver: %System%driversmrxcls.sys The malicious program injects malicious code into the user mode’s processes. To do this, it loads a DLL dynamic library into the following system processes: svchost.exe services.exe lsass.exe after which, their module lists contain libraries with names like this: kernel32.dll.aslr.<rnd> shell32.dll.aslr.<rnd> where <rnd> is a random hexadecimal number. The injected code is found in the file: %WinDir%infoem7A.PNF in encrypted form. The injected code contains the malicious program’s main functionality. This includes:
|
Find out the statistics of the threats spreading in your region |