McAfee > Theat Center > Virus Detail Page

Overview

W32/Detnat.a is a parasitic file infector and network worm that searches local drives and network shares for executable files and infects them. It contains rootkit capabilities and attempts to download a variant of the PWS-Lineage trojan from compromised websites.

Aliases

• PE_DETNAT.A (Trend Micro)

• W32.Detnat (Symantec)

• Win32.Detnat.A (Avira)

• Win32/Detnat.A (ESET)

• Worm.Win32.Detnat.a (Symantec)

• Worm/Detnat.A (Grisoft)

• Worm/Detnat.A.2 (BitDefender)

Characteristics

Upon execution, it creates the following file:

%WINDIR%\%SYSDIR%\voot.sys

Creates the following registry key to autostart its rootkit component as a service:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
"delphi" = "%Windir%\%SYSDIR%\voot.sys" 

Symptoms

Rootkit Component:

"voot.sys" is the rootkit component of this virus and is responsible for hiding the presence of the virus on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe

The following NTXXX functions are replaced with pointers to the rootkit code.

• NTQUERYSYSTEMINFORMATION

Downloader Component:

Connects to the following websites to download a variant of the PWS-Lineage trojan.

http://www.yettz.com/Removed]/image/re.wos
http://www.cinetown.co.kr/Removed]/asx/mvp.wos
http://www.cinetown.co.kr/[Removed]/images/pop.wos

Method of Infection

W32/Detnat.a infects executable files found on local drives and network shares. During the infection process, the virus compresses a portion of the targeted executable file and stores the compressed and remaining uncompressed portion of the original file in its data section. By employing this technique, the virus attempts to maintain the targeted file's original size prior to infection.

It avoids infecting executable files located in the Windows folder.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Detnat.a is a parasitic file infector and network worm that searches local drives and network shares for executable files and infects them. It contains rootkit capabilities and attempts to download a variant of the PWS-Lineage trojan from compromised websites.

Aliases

• PE_DETNAT.A (Trend Micro)

• W32.Detnat (Symantec)

• Win32.Detnat.A (Avira)

• Win32/Detnat.A (ESET)

• Worm.Win32.Detnat.a (Symantec)

• Worm/Detnat.A (Grisoft)

• Worm/Detnat.A.2 (BitDefender)

Characteristics

Characteristics -

Upon execution, it creates the following file:

%WINDIR%\%SYSDIR%\voot.sys

Creates the following registry key to autostart its rootkit component as a service:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
"delphi" = "%Windir%\%SYSDIR%\voot.sys" 

Symptoms

Symptoms -

Rootkit Component:

"voot.sys" is the rootkit component of this virus and is responsible for hiding the presence of the virus on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe

The following NTXXX functions are replaced with pointers to the rootkit code.

• NTQUERYSYSTEMINFORMATION

Downloader Component:

Connects to the following websites to download a variant of the PWS-Lineage trojan.

http://www.yettz.com/Removed]/image/re.wos
http://www.cinetown.co.kr/Removed]/asx/mvp.wos
http://www.cinetown.co.kr/[Removed]/images/pop.wos

Method of Infection

Method of Infection -

W32/Detnat.a infects executable files found on local drives and network shares. During the infection process, the virus compresses a portion of the targeted executable file and stores the compressed and remaining uncompressed portion of the original file in its data section. By employing this technique, the virus attempts to maintain the targeted file's original size prior to infection.

It avoids infecting executable files located in the Windows folder.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A