Content

Generic Rootkit.d!rootkit

Type
Trojan
SubType
Discovery Date
05/07/2007
Length
Varies
Minimum DAT
5025 (05/07/2007)
Updated DAT
5655 (06/23/2009)
Minimum Engine
5.2.00
Description Added
05/07/2007
Description Modified
03/25/2009 1:27 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a generic detection for the api hooks created by several rootkit variants such as the Generic Rootkit.d.

Rootkits are programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Additionally, they make it harder to detect or remove the malware. This is one of the generic detections for such class of malicious programs.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection.

Exact details (filenames, Registry keys, file size) will vary between variants.

The following functions are commonly hooked to hide files and registry entries:

  • IofCallDriver
  • IofCompleteRequest
  • NtFlushInstructionCache
  • NtEnumerateKey
  • NtQueryValueKey

Symptoms

Unfortunately, the whole purpose of rootkit programs is to hide the symptoms of malicious activity. They can potentially hide running processes, files, registry keys, network activity etc. A specific rootkit variant may not be "perfect", in the sense that it may have some symptoms (files, registry entries, proceses, network activity) that it does not hide for which it may be accounted for.

General symptoms for this Generic RootKit.d!Rootkit detection can be things such as:

  • Reduced system performance but the task manager showing no processes with high utilization
  • Increased disk space usage without evidence of the files to account for it

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

These rootkit programs may also be dropped by other trojans, viruses and worms.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Rootkits are  programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Generic RootKit.d!Rootkit is one of the generic detections for such class of malicious programs.

Characteristics

Characteristics -

This is a generic detection for the api hooks created by several rootkit variants such as the Generic Rootkit.d.

Rootkits are programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Additionally, they make it harder to detect or remove the malware. This is one of the generic detections for such class of malicious programs.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection.

Exact details (filenames, Registry keys, file size) will vary between variants.

The following functions are commonly hooked to hide files and registry entries:

  • IofCallDriver
  • IofCompleteRequest
  • NtFlushInstructionCache
  • NtEnumerateKey
  • NtQueryValueKey

Symptoms

Symptoms -

Unfortunately, the whole purpose of rootkit programs is to hide the symptoms of malicious activity. They can potentially hide running processes, files, registry keys, network activity etc. A specific rootkit variant may not be "perfect", in the sense that it may have some symptoms (files, registry entries, proceses, network activity) that it does not hide for which it may be accounted for.

General symptoms for this Generic RootKit.d!Rootkit detection can be things such as:

  • Reduced system performance but the task manager showing no processes with high utilization
  • Increased disk space usage without evidence of the files to account for it

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

These rootkit programs may also be dropped by other trojans, viruses and worms.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A