Content

MachineDog.dr

Type
Virus
SubType
Rootkit
Discovery Date
07/09/2008
Length
Minimum DAT
5337 (07/11/2008)
Updated DAT
5337 (07/11/2008)
Minimum Engine
5.1.00
Description Added
07/10/2008
Description Modified
07/10/2008 3:44 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution the virus drops and installs a device driver named "pcihdd.sys" from %system%\drivers directory.

Once the driver is installed the "pcihdd.sys" file is deleted from the disk and only resident in memory. The user mode application communicates with the device driver to infect the "userinit.exe" file on disk. The infected file is detected as "MachineDog!inf".

Since the virus overwrites the file, any file detected as "MachineDog!inf" will have to be restored from backup.


 

Symptoms

Outbound network connection to yu.8s7.net

Method of Infection

This virus uses kernel mode device driver to infect "userinit.exe" using direct write operation on Harddisk0.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a detection for a file infector virus that uses kernel mode driver to infect the "%system%\userinit.exe" file on disk.

Characteristics

Characteristics -

Upon execution the virus drops and installs a device driver named "pcihdd.sys" from %system%\drivers directory.

Once the driver is installed the "pcihdd.sys" file is deleted from the disk and only resident in memory. The user mode application communicates with the device driver to infect the "userinit.exe" file on disk. The infected file is detected as "MachineDog!inf".

Since the virus overwrites the file, any file detected as "MachineDog!inf" will have to be restored from backup.


 

Symptoms

Symptoms -

Outbound network connection to yu.8s7.net

Method of Infection

Method of Infection -

This virus uses kernel mode device driver to infect "userinit.exe" using direct write operation on Harddisk0.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A