Content

NTRootKit-AB

Type
Trojan
SubType
Malware Tool
Discovery Date
04/22/2008
Length
Minimum DAT
5279 (04/22/2008)
Updated DAT
5384 (09/15/2008)
Minimum Engine
5.2.00
Description Added
04/22/2008
Description Modified
02/16/2009 8:47 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Installs as device driver.

Random filename, *.sys, dropped into c:\windows\system32\drivers\ 

Pretends to be either WMI or IP filtering related in device driver description.

Deletes itself after successfully loading.

 

Symptoms

AV software terminating and unable to be restarted. Attacks many leading AV solutions including those from:

McAfee

Microsoft

Kaspersky

BitDefender

F-Secure

 

 

Method of Infection

Dropped by W32/Sality.ae

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

NTRootkit-AB is a .SYS file that installs as a device driver that attempts to terminate Anti-Virus processes.

The Rootkit is primarily dropped by W32/Sality.ae parasite file infector.

W32/Sality.ae VIL description is here:

http://vil.nai.com/vil/content/v_144417.htm

 

 

 

 

 

Characteristics

Characteristics -

Installs as device driver.

Random filename, *.sys, dropped into c:\windows\system32\drivers\ 

Pretends to be either WMI or IP filtering related in device driver description.

Deletes itself after successfully loading.

 

Symptoms

Symptoms -

AV software terminating and unable to be restarted. Attacks many leading AV solutions including those from:

McAfee

Microsoft

Kaspersky

BitDefender

F-Secure

 

 

Method of Infection

Method of Infection -

Dropped by W32/Sality.ae

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A