McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This is a backdoor trojan that operates in stealth mode. It hides its processes, directory, files and registry keys. When run, it installs itself as a service on the victim's machine. The following keys are created and visible:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RTKIT
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF

Other registry keys associated with these services are hidden.

It creates the following directory and files:

• \winnt\system32\RtKit
• \winnt\system32\RtKit\Rtkit.exe
• \winnt\system32\RtKit\globalc.dll
• \winnt\system32\RtKit\npf.sys
• \winnt\system32\RtKit\ntcs.dll
• \winnt\system32\RtKit\packet.dll

These files are also hidden. They are visible if the system is in safe mode. In safe mode, a service named "RtKit" is also visible.

The backdoor can communicate with the client in 4 ways (userdefined, Icmp, Udp, Tcp). In Tcp mode, it can use any open port on the machine. Default port is 445.

The backdoor can perform following operations on the victim's machine:

• Hide/UnHide the file or directory
• Hide/UnHide process
• Hide/UnHide a registry key
• Hide/UnHide a registry value
• Hide/UnHide a User
• Hide/UnHide a Service
• Get the remote file to local computer
• Put the local file to remote computer
• Key log
• Perform DDos to other machine
• Set various passwords
• Show all processes on remote machine
• Kill the process with the id or name
• Reboot the targer computer
• Open a command shell

Symptoms

Existence of the registry keys mentioned above.

Method of Infection

Hacker can gain access to remote machine, install the trojan on remote machine.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.

Manual Removal Instructions

• Restart Windows in Safe Mode
• Delete the following registry keys: (Information on deleting registry keys)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtKit
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
• Delete the following files:
  • \winnt\system32\RtKit\Rtkit.exe
  • \winnt\system32\RtKit\globalc.dll
  • \winnt\system32\RtKit\npf.sys
  • \winnt\system32\RtKit\ntcs.dll
  • \winnt\system32\RtKit\packet.dll
• Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This is a backdoor trojan that operates in stealth mode. It hides its processes, directory, files and registry keys. When run, it installs itself as a service on the victim's machine. The following keys are created and visible:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RTKIT
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF

Other registry keys associated with these services are hidden.

It creates the following directory and files:

• \winnt\system32\RtKit
• \winnt\system32\RtKit\Rtkit.exe
• \winnt\system32\RtKit\globalc.dll
• \winnt\system32\RtKit\npf.sys
• \winnt\system32\RtKit\ntcs.dll
• \winnt\system32\RtKit\packet.dll

These files are also hidden. They are visible if the system is in safe mode. In safe mode, a service named "RtKit" is also visible.

The backdoor can communicate with the client in 4 ways (userdefined, Icmp, Udp, Tcp). In Tcp mode, it can use any open port on the machine. Default port is 445.

The backdoor can perform following operations on the victim's machine:

• Hide/UnHide the file or directory
• Hide/UnHide process
• Hide/UnHide a registry key
• Hide/UnHide a registry value
• Hide/UnHide a User
• Hide/UnHide a Service
• Get the remote file to local computer
• Put the local file to remote computer
• Key log
• Perform DDos to other machine
• Set various passwords
• Show all processes on remote machine
• Kill the process with the id or name
• Reboot the targer computer
• Open a command shell

Symptoms

Symptoms -

Existence of the registry keys mentioned above.

Method of Infection

Method of Infection -

Hacker can gain access to remote machine, install the trojan on remote machine.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal. An active infection requires users to reboot into Safe Mode prior to scanning/removing of the trojan.

Manual Removal Instructions

• Restart Windows in Safe Mode
• Delete the following registry keys: (Information on deleting registry keys)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtKit
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
• Delete the following files:
  • \winnt\system32\RtKit\Rtkit.exe
  • \winnt\system32\RtKit\globalc.dll
  • \winnt\system32\RtKit\npf.sys
  • \winnt\system32\RtKit\ntcs.dll
  • \winnt\system32\RtKit\packet.dll
• Restart the computer

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A