Les informations contenues dans cette rubrique de notre site web sont constamment mises à jour. Afin de vous garantir un contenu le plus actualisé possible, elles sont uniquement diffusées en anglais.

Virus Profile: Generic Rootkit.dt.dr

Threat Search
Imprimer
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 10/11/2009
Date Added: 10/11/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Dropper
DAT Required: 5799
Removal Instructions
   
 
 
   

Description

This detection is for a trojan dropper, which when executed drops Generic Rootkit.dt. The characteristics of this malware with regards to file names, files dropped etc. can differ from one version to another, depending on the way in which the attacker had configured it.

Indication of Infection

Presence of files and registry entries mentioned earlier

Methods of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Aliases

Backdoor.Win32.Agent.alhu [Kaspersky], Backdoor:WinNT/Festi.A [Microsoft], Dropper.Win32.Mnless.epy [Rising], Win32/Festi.A [CA eTrust]
   

Virus Characteristics

-- Update November 10, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221600694

--

When executed, this malware drops the following files:

  • %Temp%\[Random file name].bat [Non malicious batch file]
  • %System%\drivers\[Random file name].sys [Detected as Generic Rootkit.dt]

The sys file dropped above is installed as a kernel-mode driver.

Note:

  • %Temp% is a variable that refers to the Windows temporary folder
  • %System% is a variable that refers to the System folder

The malware then creates the following registry entries to ensure its exeuction as a Windows service when the infected machine reboots:

  • HKEY_Local_Machine\System\CurrentControlSet\Services\zacypxeepnjv7
    ImagePath = "%System%\Drivers\[Random file name].sys"
    DisplayName = "[Random filename]"

 

   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

   

Un ordinateur infecté ? Obtenez l'aide d'un expert !

McAfee
Service de suppression des virus

Contactez l'un de nos spécialistes en sécurité par téléphone. Regardez votre PC pendant que nous résolvons le problème à distance.

$89.95 (USD)

Publicité