VirusTotal
http://www.virustotal.com/analisis/ffd0 ... 1270913371
Rootkit Unhooker v3.8 report
SSDT hooking providing rootkit registry keys hiding/protection.
http://www.virustotal.com/analisis/ffd0 ... 1270913371
Rootkit Unhooker v3.8 report
RkU Version: 3.8 (b020410.388.590), Type LE (SR2)Hooks IRP handlers of ntfs.sys (IRP_MJ_CREATE, IRP_MJ_DIRECTORY_CONTROL) driver to hide it's files and counteract removal.
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtClose, Type: Address change 0x805678DD-->F4B048A0 [C:\WINDOWS\system32\drivers\win32x.sys]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x8057065D-->F4B04740 [C:\WINDOWS\system32\drivers\win32x.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Address change 0x80570D64-->F4B04550 [C:\WINDOWS\system32\drivers\win32x.sys]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80568D59-->F4B04650 [C:\WINDOWS\system32\drivers\win32x.sys]
==============================================
>Drivers
==============================================
0x81CB41E0 unknown_irp_handler 3616 bytes
0x81CBB440 unknown_irp_handler 3008 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\WINDOWS\system32\dllcache\userinit.exe
!-->[Hidden] C:\WINDOWS\system32\drivers\win32x.sys
!-->[Hidden] C:\WINDOWS\system32\userinit.exe
!-->[Hidden] C:\WINDOWS\system32\win32x.exe
SSDT hooking providing rootkit registry keys hiding/protection.
Attachments
pass: malware
(44.23 KiB) Downloaded 236 times
(44.23 KiB) Downloaded 236 times
Ring0 - the source of inspiration