PER UTENTI

Chiudi

La mia libreria
La mia libreria

+ Aggiungi alla libreria

Ricerca
Ricerca

Supporto
Supporto 24/7 | Regole per contattare

Scrivi

Una richiesta attraverso il modulo

Chiama

+7 (495) 789-45-86

Forum

Richieste

Crea nuova richiesta

Chiama

+7 (495) 789-45-86

Profile

IT

RU CN DE EN ES FR IT JP KZ UZ PL BY
Chiudi
Servizi
Scanner
Dr.Web vxCube
Versione di prova
Perizia di incidenti informatici legati ai virus
Libreria dei virus
Base di conoscenza

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Notizie

Win32.Ntldrbot

(TR/Dropper.Gen, TROJ_AGENT.ABDX, Malware-Cryptor.Win32.General.3, W32/Virut.Z, Trojan-Downloader.Win32.Agent.ddl, Virus.Win32.Rustock.a, Win32.Klest.A.Gen, Virus:Win32/Cekar.H, Downloader.Agent.RXM, Trojan-Downloader.Win32.Agent.mqf, Trojan.Agent.ABRR, Win32.Ntldrbot.A, Backdoor.Rustock.NDL, TrojanDropper:Win32/Rustock, Generic.dx, RTKT_AGENT.APAT, W32/Downloader.AL, TROJ_GEN.0Z0213S, Trojan.Generic.47662, Spamtool.Win32.Rustock.C, TROJ_Generic.DIS)

Aggiunto al database dei virus Dr.Web: 2008-05-06

La descrizione è stata aggiunta:

News on Win32.Ntldrbot
Article on Win32.Ntldrbot

Virus Type: Malware, which spreads spam

Affected OS: Win NT-based

Size: 158K up to 424K

Technical Information

  • Sophisticated polymorphic self-protection of the rootkit makes its extraction and analysis extremely difficult.

  • Implemented as a driver, it runs on the lowest kernel level.

  • Has a self-protect function, prevents runtime changes.

  • Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of the kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.

  • Intercepts the following system functions using non-standard method, such as:

    NtCreateThread
    NtDelayExecution
    NtDuplicateObject
    NtOpenThread
    NtProtectVirtualMemory
    NtQuerySystemInformation
    NtReadVirtualMemory
    NtResumeThread
    NtTerminateProcess
    NtTerminateThread
    NtWriteVirtualMemory

  • Functions as a file-virus and infects system drivers.

    • A particular sample of the rootkit becomes adjusted to the hardware of an infected machine and most likely won’t run on another computer.

  • Utilizes time-triggered re-infection feature. An old infected file is cured. So the rootkit «wonders» through system drivers infecting only one at a time.

  • Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.

  • Features anti-rootkit protection.

  • Injects its library (DLL) to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.

System recovery recommendations

1. Disconnect your computer from local network and Internet.
2. Download Dr.Web CureIt! from known-pure computer which has an access to Internet.
3. Scan affected computer with Dr.Web CureIt!. Do action "Cure" for infected objects.