Content
W32/Lurka.a.sys
- Type
- Virus
- SubType
- Win32
- Discovery Date
- 11/15/2007
- Length
- Minimum DAT
- 5164 (11/15/2007)
- Updated DAT
- 5164 (11/15/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 11/15/2007
- Description Modified
- 11/29/2007 4:04 AM (PT)
Tab Navigation
Characteristics
As soon as it is loaded, W32/Lurka.a.sys will set the autorun keys that it requires to survive reboot. Specifically, it will create the following registry key:
\Registry\Machine\SYSTEM\CurrentControlSet\OpenGL
and will fill it with all the values needed to create a valid service that will be named:
"Boot bus Extender"
Once the system gets rebooted, the malware will hook the system service descriptor table. Specifically, the following three functions will be hooked in the SSDT:
- ZwCreateSection
- ZwQueryDirectoryFile
- ZwEnumerateKey
The placed hooks are used by the malware to perform PE executables infection and to hide itself and its payload. The malware is also able to spread using autorun techniques, by creating a pure infector (autorun.exe) and an autorun.inf file in the root of available drives.
In addition to this, W32/Lurka.a.sys will drop another component:
%system folder%\smartdrv.exe
Such file is a backdoor and is already detected as Backdoor-CEP.svr by McAfee.
Please note that files infected by W32/Lurka.a.sys are already detected as W32/Lurka.a and are cleaned properly.
Symptoms
- McAfee's rootkit detective reporting hidden items
- Windows File Protection that prompts for system file modification
- unusual system slowness
- presence of autorun.inf and autorun.exe in the system's root folder
- presence of smartdrv.exe in the system's folder
- unusual network activity related to the backdoor component
Method of Infection
The execution of a file infected by W32/Lurka.a will start the malicious behaviour by loading W32/Lurka.a.sys.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
W32/Lurka.a.sys is a PE file infector in form of a kernel device driver with rootkit capabilities.
Characteristics
Characteristics -
As soon as it is loaded, W32/Lurka.a.sys will set the autorun keys that it requires to survive reboot. Specifically, it will create the following registry key:
\Registry\Machine\SYSTEM\CurrentControlSet\OpenGL
and will fill it with all the values needed to create a valid service that will be named:
"Boot bus Extender"
Once the system gets rebooted, the malware will hook the system service descriptor table. Specifically, the following three functions will be hooked in the SSDT:
- ZwCreateSection
- ZwQueryDirectoryFile
- ZwEnumerateKey
The placed hooks are used by the malware to perform PE executables infection and to hide itself and its payload. The malware is also able to spread using autorun techniques, by creating a pure infector (autorun.exe) and an autorun.inf file in the root of available drives.
In addition to this, W32/Lurka.a.sys will drop another component:
%system folder%\smartdrv.exe
Such file is a backdoor and is already detected as Backdoor-CEP.svr by McAfee.
Please note that files infected by W32/Lurka.a.sys are already detected as W32/Lurka.a and are cleaned properly.
Symptoms
Symptoms -
- McAfee's rootkit detective reporting hidden items
- Windows File Protection that prompts for system file modification
- unusual system slowness
- presence of autorun.inf and autorun.exe in the system's root folder
- presence of smartdrv.exe in the system's folder
- unusual network activity related to the backdoor component
Method of Infection
Method of Infection -
The execution of a file infected by W32/Lurka.a will start the malicious behaviour by loading W32/Lurka.a.sys.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
