Home / malware VirTool:Win32/Rootkit.BV
First posted on 12 January 2010.
Source: SecurityHomeAliases :
There are no other names known for VirTool:Win32/Rootkit.BV.
Explanation :
VirTool:Win32/Rootkit.BV is a kernel mode trojan that masks its presence on an affected computer by blocking registry and file access to itself. The trojan may report its installation to a remote server and download and execute arbitrary files.
Top
VirTool:Win32/Rootkit.BV is a kernel mode trojan that masks its presence on an affected computer by blocking registry and file access to itself. The trojan may report its installation to a remote server and download and execute arbitrary files. InstallationVirTool:Win32/Rootkit.BV may be installed by other malware such as TrojanDownloader:Win32/Bubnix.A. The trojan may be present as a randomly named file with a service with the same name, as in the following example: file name: <%SystemRoot%>\System32\drivers\xjnjal.sysservice name: "xjnjal" The trojan creates a device name as "\Device\<GUID string>" as in the following example: \Device\{2914E018-A52C-9C7D-A1BA-606512FF990B} VirTool:Win32/Rootkit.BV injects and runs malicious code in the process "services.exe" and periodically rewrites its file to prevent removal. It also uses rootkit methods to hide its file and registry entries. Payload Downloads and executes arbitrary filesVirTool:Win32/Rootkit.BV contacts a remote server to report its installation on the affected computer. The trojan attempts to download and execute arbitrary files from the IP address "96.0.203.82".
Analysis by Shawn WangLast update 12 January 2010
