Home / malware Trojan:WinNT/Waltrodock.A
First posted on 05 May 2012.
Source: MicrosoftAliases :
Trojan:WinNT/Waltrodock.A is also known as W32/Rootkit.CUBP (Norman), Downloader.Darkmegi (Symantec), RTKIT_MDIEXP_QYUA (Trend Micro), CVE-2012-0003 (other).
Explanation :
Trojan:WinNT/Waltrodock.A is a rootkit component of the Win32/Waltrodock malware family.
Installation
Trojan:WinNT/Waltrodock.A is installed by TrojanDropper:Win32/Waltrodock.A and is present with other malware as the following:
- %systemroot%\System32\drivers\com32.sys - Trojan:WinNT/Waltrodock.A
- %systemroot%\System32\com32.dll - Trojan:Win32/Waltrodock.A
Trojan:WinNT/Waltrodock.A runs as a service named "Com32".
Payload
Uses stealth
When executed, Trojan:WinNT/Waltrodock.A creates the following driver devices:
- \Devices\NpcDark
- \DosDevices\NpcDark
Whenever a process named "iexplore.exe" (Internet Explorer) is created, Trojan:WinNT/Waltrodock.A injects "com32.dll" into its process.
The rootkit prevents access to the following Win32/Waltrodock components by hooking "\FileSystem\FastFat" and "\FileSystem\NTFS":
- %systemroot%\System32\drivers\com32.sys - Trojan:WinNT/Waltrodock.A
- %systemroot%\System32\com32.dll - Trojan:Win32/Waltrodock.A
Analysis by Vincent Tiu
Last update 05 May 2012
