Friday, August 5, 2011


Rootkit

A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan and surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of the changes to the actual accounts on the system.

Rootkit.TDSS

Rootkit.TDSS is a rogue rootkit application that has the backdoor ability to permit an attacker to gain remote unauthorized access. Rootkit.TDSS conceals its presence in the user’s computer system which makes it unable to be detected by security software and applications. Rootkit.TDSS is a serious threat that could result in identity theft and financial loss.

 

How To Remove Rootkit.TDSS


STEP 1 : USE WINDOWS TASK MANAGER TO REMOVE ROOTKIT.TDSS PROCESSES
Remove the "Rootkit.TDSS" processes files:
RkLYLyoM.exe podmena.exe file.exe ~.exe 7-v3av.exe csrssc.exe 72631899.exe 1776260179.exe ucxmykkc.exe
 
STEP 2 : USE WINDOWS COMMAND PROMPT TO UNREGISTER ROOTKIT.TDSS DLL FILES
Search and unregister "Rootkit.TDSS" DLL files:
UACyylfjdaa.dll TDSSnrsr.dll tdssserf.dll TDSSriqp.dll TDSSciou.dll TDSSoexh.dll
 
STEP 3 : DETECT AND DELETE OTHER ROOTKIT.TDSS FILES
Remove the "Rootkit.TDSS" processes files:
UACyylfjdaa.dll TDSSnrsr.dll TDSSmaxt.sys tdssserf.dll TDSSriqp.dll TDSSciou.dll TDSSoexh.dll tdidrv2.sys RkLYLyoM.exe podmena.exe tdssserv.sys file.exe ~.exe 7-v3av.exe csrssc.exe 72631899.exe 1776260179.exe ucxmykkc.exe

Rootkit.Win32.Agent.gpe


The purpose of this trojan is to hide processes and files and is known to be distributed with various W32/Sdbot.worm variants.

 

Win32.Agent.P Aliases

Trojan.Win32.Rootkit.l (Kaspersky Lab), NTRootKit-J (McAfee), TROJ_ROOTKIT.E (Trend), Trojan.Cachecachekit (Symantec), BackDoor.IRC.Sdbot.55 (Doctor Web), Troj/Rootkit-X (Sophos), TROJ_ROOTKIT.E (Trend Micro), TR/Rootkit.L (H+BEDV), Trojan.Rootkit.L (SOFTWIN), Trojan.Rootkit.C (ClamAV), Hacktool/Rootkit.L (Panda), Win32/Rootkit.I (Eset), Win32.Efewe.E (CA)

 

How To Remove Win32.Agent.P

REMOVE PROCESS FILES
Remove the Rootkit.Win32.Agent.p processes files:
%system%\rdriv.sys
REMOVE REGISTRY ENTRIES
Remove the Rootkit.Win32.Agent.gpe registry entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV]


Rootkit.Win32.Agent.gpe

Rootkit.Win32.Agent.gpe is a rogue rootkit application that has the backdoor ability to permit an attacker to gain remote unauthorized access. Rootkit.Win32.Agent.gpe conceals its presence in the user’s computer system which makes it unable to be detected by security software and applications. This Rootkit is a serious threat that could result in identity theft and financial loss.

How To Remove Win32.Agent.gpe

REMOVE PROCESS FILES
Remove the Rootkit.Win32.Agent.gpe processes files:
UACyylfjdaa.dll
Tsenekaddipwvik.sys


Agent.NAG

Agent.NAG can be used to hide files, Windows Registry entries or processes, either its own or those of other programs.
In this way, even when a user looks for these items on a computer, they won’t be able to see them.

Rootkit Symptoms

A rootkit is a software system that consists of one or more programs designed to obscure the fact that a system has been compromised. Contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior access to execute and tamper with system files and processes. An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security scan and surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits may also install a "back door" in a system by replacing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless of the changes to the actual accounts on the system.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)