Generic Rootkit.d

Content

Generic Rootkit.d

Type: Trojan
SubType: Win32
Discovery Date: 11/20/2006
Length: Varies
Minimum DAT: 4900 (11/20/2006)
Updated DAT: 6539 (11/23/2011)
Minimum Engine: 5.1.00
Description Added: 11/20/2006
Description Modified: 07/10/2008 12:30 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This detection, Generic RootKit.d, is for several specific trojan variants. So this description is meant as a general guide.

Rootkits are programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Additionally, they make it harder to detect or remove the malware. This is one of the generic detections for such class of malicious programs.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection.

Exact details (filenames, Registry keys, file size) will vary between variants.

One of the most common techniques used by such programs is hooking into the kernel's System Service Descriptor Table (SSDT) and altering the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe.

Once the rootkit is loaded, it hides files and processes as specified by the author.

Symptoms

Unfortunately, the whole purpose of rootkit programs is to hide the symptoms of malicious activity. They can potentially hide running processes, files, registry keys, network activity etc. A specific rootkit variant may not be "perfect", in the sense that it may have some symptoms (files, registry entries, proceses, network activity) that it does not hide for which it may be accounted for.

General symptoms for this Generic RootKit.d detection can be things such as:

Reduced system performance but the task manager showing no processes with high utilization
Increased disk space usage without evidence of the files to account for it

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

These rootkit programs may also be dropped by other trojans, viruses and worms.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

N/A

All Information

Overview -

Rootkits are programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Generic RootKit.d is one of the generic detections for such class of malicious programs.