Home / malware Backdoor:WinNT/Rustock.C
First posted on 04 February 2009.
Source: SecurityHomeAliases :
Backdoor:WinNT/Rustock.C is also known as Also Known As:Win-Trojan/Costrat.58368.N (AhnLab), Mal/TibsPak (Sophos), Backdoor.Rustock (Symantec).
Explanation :
Backdoor:WinNT/Rustock.C is a generic detection for a driver component of Win32/Rustock. Win32/Rustock is a family of rootkit-enabled backdoor trojans that have historically been used to send large volumes of spam from infected computers. More recently, Rustock variants have been associated with Rogue Security applications.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Backdoor:WinNT/Rustock.C is a generic detection for a driver component of Win32/Rustock. Win32/Rustock is a family of rootkit-enabled backdoor trojans that have historically been used to send large volumes of spam from infected computers. More recently, Rustock variants have been associated with Rogue Security applications.
Installation
This trojan commonly consists of three components that are embedded within a single binary - the dropper (which runs in user mode), the driver's installer, and the actual rootkit driver, (both of which run in kernel mode). The rootkit driver is dropped into the '<system folder>drivers' folder and installed as a service. The driver filename is commonly named lzx32.sys or xpdx.sys and loaded as service by modifying the registry as in the following example: Adds value: ImagePathWith data: "%SystemRoot%System32driverslzx32.sys"Adds value: TypeWith data: "1"Adds value: "Start"With data: "1"Adds value: "ErrorControl"With data: "1"To subkey: HKLMSYSTEMCurrentControlSetServiceslzx32
Payload
Hides ComponentsThis rootkit driver hooks system functions to further hide itself and the components of the rootkit from detection. Please see more details Win32/Rustock family entry.
Analysis by Hong JiaLast update 04 February 2009
