Home / malware Rootkit:W32/Xanti.gen!A
First posted on 05 March 2010.
Source: SecurityHomeAliases :
There are no other names known for Rootkit:W32/Xanti.gen!A.
Explanation :
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.
Additional DetailsRootkit:W32/Xanti.gen!A is a Generic Detection that identifies malware attempting to create a device file on the computer named \Device\Beep.
About Generic Detections
Unlike signature or single-file detections, a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware.
Installation
If the malware manages to run, it will create the following files:
€ \SystemRoot\system32\cru629.dat € \SystemRoot\cru629.dat € \SystemRoot\system32\braviax.exe € \SystemRoot\braviax.exe
The malware may also drop additional malicious programs onto the system:
€ cru629.dat - Detected by Backdoor.Win32.Small.cbo, Trojan.Agent.AIER € braviax.exe - Detected by Trojan-Clicker.Win32.Delf.akw, Trojan.Crypt.EQ
When one of the following processes are executed:
€ winlogon.exe € svchost.exe € smss.exe € csrss.exe
The malware will create the following launchpoints in the Windows Registry:
€ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Appinit_dlls = "cru629.dat" € HKLM\Software\Microsoft\Windows\CurrentVersion\Run
braviax = "braviax.exe"
It also places hook to NtQuerySystemInformation.
Activity
Once installed, the malware monitors the following processes/drivers and prevents them from running:
€ spdt.sys € gmer.sys € taskmon.sys € kernelw.sys € wowfx.dll € pctfw2.sys € symtdi.sys € symevent.sys € fltmgr.sys € bmbemuhl € ip6fw.sys € fmtr.sys € sdhelper.dll € wincom32.sys € rdriv.sys € mpfirewall.sys € sandbox.sys € filtnt.sys € bc_tdi_f.sys € bc_prt_f.sys € bc_pat_f.sys € bc_ngn.sys € bc_ip_f.sys € bc_hassh_f.sys € bcftdi.sys € bcfilter.sys € watchdog.sys € vsdatant.sys € kmd.exe € winavxx.exe € bolenjx.exe € bolenja.exe € rootkit_detektive.exe € autoruns.exe € vundofix.exe € trjscan.exe € tpsrv.exe € thguard.exe € symwsc.exe € superantispyware.exe € spyblock.dll € spbbcsvc.exe € sndsrvc.exe € sndmon.exe € sdtrayapp.exe € sbserv.exe € pskmssvc.exe € psimsvc.exe € pshost.exe € psctrls.exe € pifsvc.exe € pavsrv51.exe € pavprsrv.exe € lucoms~1.exe € lsetup.exe € ccsvchst.exe € ccproxy.exe € avengine.exe € avciman.exe € ashwebsv.exe € ashserv.exe € ashmaisv.exe € apvxdwin.exe € appsvc32.exe € aluschedulersvc.exe € gmer.exe € killbox.exe € avgupsvc.exe € avgamsvr.exe € avgw.exe € avgcc.exe € msmpeng.exe € printer.exe € svcntaux.exe € swdsvc.exe € avgas.exe € symlcsvc.exe € fwservice.exe € prevxcsi.exe € navilog € navapsvc.exe € globkill.exe € dss.exe € procmast.exe € combo.exe € defwatch.exe € ccsetmgr.exe € ccpwdsvc.exe € sdfix.exe € zcomservice.exe € zcodec.exe € zclient.exe € spywaredetector.exe € spybotsd.exe € spybot.exe € savscan.exe € sandboxieserver.exe € rtvscan.exe € pboptions.exe € pbcpl.exe € pavfnsvr.exe € overspy.exe € overseer.exe € op_mon.exe € outpost.exe € ofcdog.exe € nvctrl.exe € nsmdtr.exe € nortonupdate.exe € nod32ra.exe € nod32krn.exe € no32mon.exe € nlsupervisorpro.exe € njexplor.exe € nisum.exe € navw32.exe € navstub.exe € navapp.exe € myvideodaily2.exe € mwsoemon.exe € msssrv.exe € mcshield.exe € malswep.exe € malscr.exe € magiclink.exe € lsass32.exe € lsasrv.exe € livesrv.exe € little_helper2.exe € kpf4ss.exe € klswd.exe € klpf.exe € kavsvc.exe € kavss.exe € kav.exe € issvc.exe € isnotify.exe € ismini.exe € inetupd.exe € icmon.exe € iao.exe € hwpe2.exe € hitvirus.exe € hijackthis € hbtoeaddon.exe € hackmon.exe € gcasserv.exe € gcasdtserv.exe € fsm32.exe € fsbl.exe € fsav32.exe € fatbuster.exe € farsighter.exe € f-stopw.exe € f-sched.exe € eyetidecontroller.exe € dsentry.exe € cureit.exe € crypserv.exe € cpf.exe € cpd.exe € comboxfix.exe € combofix € ccpxysvc.exe € ccimscan.exe € ccevtmgr.exe € ccapp.exe € cavtray.exe € cavrid.exe € bdss.exe € bdmcon.exe € avz.exe € avsched32.exe € avpm.exe € avp.exe € avpcc.exe € avgemc.exe € avgagent.exeLast update 05 March 2010
