Home / malwarePDF  

Backdoor:WinNT/Rustock.H


First posted on 06 July 2009.
Source: SecurityHome

Aliases :

Backdoor:WinNT/Rustock.H is also known as Also Known As:Win-Trojan/Agent.30848.K (AhnLab), Rootkit.Win32.Agent.fgk (Kaspersky), W32/Rootkit.TTT (Norman), Mal/Generic-A (Sophos), Generic BackDoor (McAfee), Hacktool.Rootkit (Symantec).

Explanation :

Backdoor:WinNT/Rustock.H is a component of Win32/Rustock - a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of 'spam' e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. Recent variants appear to be associated with the incidence of rogue security programs.

Symptoms
There are no obvious symptoms that indicate the presence of this malware on an affected machine.

Backdoor:WinNT/Rustock.H is a component of Win32/Rustock - a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of 'spam' e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. Recent variants appear to be associated with the incidence of rogue security programs.

Installation
Backdoor:WinNT/Rustock.H is usually dropped by another Rustock component to the <system folder>drivers folder with a randomly generated filename, for example - zofgaziv.sys, yzsrx.sys, or toqztgpcbecdnx.sys. Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.
The following registry modifications are made to load Backdoor:WinNT/Rustock.H:HKLMSYSTEMCurrentControlSetServices<drivername>
ImagePath = SystemRootSystem32drivers<drivername>
Type = 1
Start = 1
ErrorControl = 1

Payload
Provides StealthBackdoor:WinNT/Rustock.H acts as a kernel mode rootkit that hides Rustock-related files, registry keys, and TCP ports by hooking various APIs. For more information, please see the Win32/Rustock family entry elsewhere in our encyclopedia.

Analysis by Andrei Florin Saygo

Last update 06 July 2009

 

TOP