Content

HideVault

Type
Program
SubType
Rootkit
Discovery Date
08/27/2007
Minimum DAT
5107 (08/28/2007)
Updated DAT
5408 (10/17/2008)
Minimum Engine
5.1.00
Description Added
08/27/2007
Description Modified
08/27/2007 8:49 PM (PT)

Tab Navigation

Characteristics

This is a detection for a risky implementation of a fingerprint software, that is usually accompanied by Sony's MicroVault USB, USM-F and USM-FL series. This application when launched drops a device driver and adds it to top of \FileSystem\NTFS stack to hide the files on disk by filtering file IO requests. This can be potentially exploited by malicious programs by hiding their files in the hidden software's directory in %windir%\[blocked].

Upon execution it creates following files in %temp%\[filename]\ directory. Where filename can be any filename. By default it is "FG.exe"

  • InitLnk.Txt
  • KillProc.Txt
  • MatchLnk.Txt
  • SaveReg.Txt

Device driver responsible for cloaking is added as %sysdir%\drivers\FG.SYS

In addition to above mentioned files, following text files are also created in the directory from where the executable is launched. Assuming the filename is FG.exe following files are created.

  • FG._DIR
  • FG._IGP
  • FG._IGR

Registry Added

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4811AA1-D7B4-11D1-880E-0080C86B2B7F}\InProcServer32\: 
    "%temp%\FG\FGMENUCBD4.DLL"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\FGMenu\: "{B4811AA1-D7B4-11D1-880E-0080C86B2B7F}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FG\
    Type: 0x00000001
    Start: 0x00000001
    ErrorControl: 0x00000001
    ImagePath: "\??\C:\WINDOWS\SYSTEM32\DRIVERS\FG.SYS"
    DisplayName: "FG"

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Aliases

Aliases

    N/A