View Single Post
  #1 (permalink)  
Old March 30th, 2005
RaaF's Avatar
RaaF RaaF is offline
Modding Member
Join Date: April 20th, 2001
Location: Netherlands
Posts: 1,002
RaaF is a great assister to others; your light through the dark tunnel
Default Rootkit


Ever heard of that ?

Until recently I didn't.
The story begins at my girlfriends computer where one of her kids recieved a mail from a friend with a attachment.
Avast antivirus immediate sounded the alarmbell and removed it, but the virus is present again at every startup.
Its called msdirectx.sys and is beeing placed in the username folder.

It spreads trough mail, sending itself to every adress in the adressbook.

Aparently it is a keylogger that phones home.

So far I found it prevents you from opening :
- Regedit
- Taskmanager
- Hijackthis

It had shutdown ZoneAlarm and prevents it from a manual start, it prevents a Antivirus update.

There seem to be a few variations.
Some manual cleaning was described
here but the variation I found had none of the described register entries.

Further Googeling brought me
here (there are some interesting links on that page).

Perhaps for the paranoids ( peers) it is good to run:
F-Secure BlackLight
I certainly have these programs in my PC good health list from now on

So far I haven't been able to kill the virus, but I have another go at it coming weekend, I keep you updated
Het algemeen gnutella forum in Nederlands

Last edited by RaaF; March 30th, 2005 at 10:59 AM.
Reply With Quote