Virus Profile: VAnti.sys

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/08/2006
Date Added: 10/08/2006
Origin: N/A
Length: varies
Type: Trojan
Subtype: Rootkit
DAT Required: 4826
Removal Instructions
   
 
 
   

Description

This detection covers several versions of a rootkit for Windows NT/2000/XP. It hooks the operating system at a very low level, allowing it to conceal its presence very effectively. Once installed, the rootkit is capable of hiding files, processes, services, and registry information.

Indication of Infection

The rootkit can be customized to hide processes and files. Exact filenames and process names will vary with each variant.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Aliases

Rootkit.Win32.Vanti (Kaspersky), Trojan.Vanti (Doctor Web), W32/Vanti.DF!tr.rkit (Fortinet), W32/Vanti.DT (Norman), Win32/Vanti!generic (CA)
   

Virus Characteristics

Vanti.sys is the rootkit component responsible for hiding the presence of the trojan on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe

The following NTXXX functions are replaced with pointers to the rootkit code.

  • NtCreateFile
  • NtEnumerateKey
  • NtEnumerateValueKey
  • NtOpenProcess
  • NtQueryDirectorFile
  • NtQuerySystemInformation

Once the rootkit is loaded, it hides files and processes as specified by the author.

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations