McAfee > Theat Center > Virus Detail Page

Overview

W32/Wuke.sys is a rootkit dropped and used by the W32/Wuke@MM worm. The rootkit is used to hide the malware’s running process whilst it performs other malicious tasks.

This rootkit is detected as New Rootkit when scanning using a McAfee product that has "program heuristics" enabled. This detection has been present since the 4547 DATs.

Characteristics

The W32/Wuke@MM worm creates a Win32 service for the rootkit it drops to ensure the rootkit remains persistant after a system reboot.

The following registry key is created:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysDrver

With the following values:

DisplayName = System SSDP Services
ImagePath = %WINDIR%\System32\[filename].sys

Where %WINDIR% is typically c:\windows or c:\winnt and where [filename] is a randomly-generated name formed by 8 characters.

Once installed W32/Wuke.sys hides the running process of the W32/Wuke@MM worm. Malicious activites occur whilst this process is hidden.

Symptoms

Unexpected activities, such as network traffic, hard disk activity and registry changes that cannot be attributed to a currently running process.

Method of Infection

Infection occurs when the W32/Wuke@MM worm is executed.

Please see the W32/Wuke@MM worm description for more information.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Wuke.sys is a rootkit dropped and used by the W32/Wuke@MM worm. The rootkit is used to hide the malware’s running process whilst it performs other malicious tasks.

This rootkit is detected as New Rootkit when scanning using a McAfee product that has "program heuristics" enabled. This detection has been present since the 4547 DATs.

Characteristics

Characteristics -

The W32/Wuke@MM worm creates a Win32 service for the rootkit it drops to ensure the rootkit remains persistant after a system reboot.

The following registry key is created:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysDrver

With the following values:

DisplayName = System SSDP Services
ImagePath = %WINDIR%\System32\[filename].sys

Where %WINDIR% is typically c:\windows or c:\winnt and where [filename] is a randomly-generated name formed by 8 characters.

Once installed W32/Wuke.sys hides the running process of the W32/Wuke@MM worm. Malicious activites occur whilst this process is hidden.

Symptoms

Symptoms -

Unexpected activities, such as network traffic, hard disk activity and registry changes that cannot be attributed to a currently running process.

Method of Infection

Method of Infection -

Infection occurs when the W32/Wuke@MM worm is executed.

Please see the W32/Wuke@MM worm description for more information.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A