Home / malwarePDF  

VirTool:WinNT/Ghodow.B


First posted on 10 May 2010.
Source: SecurityHome

Aliases :

VirTool:WinNT/Ghodow.B is also known as Rkit/Agent.behj (Avira), Win32/Bvatik.A (CA), Trojan.Siggen1.10141 (Dr.Web), Win32/Dalixi.A (ESET), Rootkit.Win32.Agent.behj (Kaspersky), RootKit.Win32.Mnless.bpg (Rising AV).

Explanation :

VirTool:WinNT/Ghodow.B is a component of Win32/Ghodow. It modifies the master boot record (MBR) of the local hard drive, and writes malware code as raw disk sectors from sector 02 through sector 57. VirTool:WinNT/Ghodow.B also writes a clean copy of the MBR in sector 01.
Top

VirTool:WinNT/Ghodow.B is a component of Win32/Ghodow. It modifies the master boot record (MBR) of the local hard drive, and writes malware code as raw disk sectors from sector 02 through sector 57. VirTool:WinNT/Ghodow.B also writes a clean copy of the MBR in sector 01. InstallationVirTool:WinNT/Ghodow.B is installed by Trojan:Win32/Ghodow.A, and may be present with other Win32/Ghodow components as the following:

  • %ProgramFiles%\msdn\atixx.sys - detected as VirTool:WinNT/Ghodow.A
  • %ProgramFiles%\msdn\atixi.sys - detected as VirTool:WinNT/Ghodow.B
  • %ProgramFiles%\msdn\000000000 - detected as TrojanDownloader:Win32/Ghodow.A
  • Payload Modifies MBRVirTool:WinNT/Ghodow.B modifies the hard disk's MBR (Master Boot Record), and writes its main driver, loader instructions and injection code as raw disk sectors from sector 02 through sector 57. The trojan component also writes a clean copy of the MBR in sector 01. Additional informationVirTool:WinNT/Ghodow.A uses a low-level operation for disk writing, which is unlikely to work on a SCSI type hard disk. Trojan:Win32/Ghodow.A only attempts to affect Windows XP systems. For more information about Trojan:Win32/Ghodow.A, see the description elsewhere in the encyclopedia.

    Analysis by Chun Feng

    Last update 10 May 2010

     

    TOP