-- Update March 6, 2003 --
AVERT has received a new variant of the kernel driver stealth module from a customer. This file P2.SYS is 8192 bytes in length.
The module again hooks various low level kernel file, registry and process APIs in order to hide trojans from casual observers and system monitoring software.
The only sign of the presence of this new variant is that the System Info tool shows the entry
P2.SYS PentiumII Processor Driver
in the list of drivers under the Software Environment.
Detection of this trojan will be included in 4252 DATs.
-- Update January 31, 2003 --
AVERT is currently analyzing a variant of this threat (filename IPSECHLP.DLL), initial reports suggest that it listens on TCP Port 449 and uses the service name "IPSEC Helper Services". Detection for this .DLL will be included in the next DAT release (4246).
The server component of this Remote Access Trojan utilizes a kernel mode driver to operate in stealth mode. Thus the file and process associated with the backdoor (together with Registry keys relating to it) remain hidden.
The server component (VMM32421.EXE: 27,136 bytes) is detected as BackDoor-ALI by McAfee products running the 4229 DATs or greater.
The kernel mode driver (IERK8243.SYS: 7,264 bytes) is detected as BackDoor-ALI.sys with the 4245 DATs.
Due to its stealthing capabilities, this threat will not be detected by conventional AV scanning after trojan installation has occured: restarting in safe mode is required for detection and removal.
When run, the backdoor trojan installs itself as a service on the victim machine. The service characteristics are set under the following Registry keys:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmm32421
With the following characteristics:
Description: Virtual Memory Manager
Display Name: Virtual Memory Manager
Image Path: (location of server file)
Startup Type: Automatic
Note: When the stealthing driver is installed on the system as well, these Registry entries will be hidden.
The server opens port 961 on the victim machine.
Kernel Mode Driver
This driver enables other trojans to operate in stealth mode, hiding their process, files and Registry keys. A reboot is required to complete the installation of the stealthing driver.
The following Registry key indicates installation of this driver (this will only be visible when machine is restarted in Safe Mode):HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ierk8243
The service has the following characteristics:
Startup Type: Automatic
Image Path: \System32\drivers
The driver hooks low-level Kernel file and Registry I/O functions. The method used for hooking system calls is likely to be similar to that used by well-known legitimate software. The driver contains the following string in its body:slanretnisys