G
Guest
We found what seems to be a rootkit on a customer system which was windows
2000 sp4.
It is a kernel resident infector as it installs itself as hidden device
driver operating in kernel level
to hide its directories and programs aswell as network connections.
For our research we named it Win32/McSport-A.
Here are the notes we saved along with our own removal strategy, which is
not a clean way, but does work.
(The following notes are from our researcher who removed it)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCSPORT
this entry points to /winnt/system32/drivers/usb42prt.sys on windows 2000.
$programs directory/Padgvox is hidden.
in that directory is a subdirectory called "Cache" which had 1,6 GB
of files which seemed to be sniffer logs.
Files in this directory:
AI_11-11-2005.log
AI_13-11-2005.log
AI_15-11-2005.log
AI_17-11-2005.log
WinGenerics.dll
data.bin
iesmpapi.exe
AI_12-11-2005.log
AI_14-11-2005.log
AI_16-11-2005.log
ace.dll
hidrfnet.exe
(if you boot into recovery console from windows cd, you wont be able to
access it)
on startup ntvdm.exe is launched and right after that, iesmpapi.exe
and pmsledit.exe which are hidden from the process list.
pmsledit was in /winnt/system32.
in device manager, even if hidden devices are made visible, the
device mcsport is hidden and could only be seen after all the launch programs
couldnt be started anymore.
removal:
after messing around with some software trying to remove the rootkit,
i decided to get a linux livecd (i used linuxdefender live as it has ntfs
write support)
and delete the files from there. after doing that and rebooting into windows
strangely
the files appeard again, so i went back into linux and just shredded the
files with the
"shred" command. after booting into windows once again it couldnt launch
anymore and i
was able to view the hidden device, deaktivate and remove it.
i should also note that i disabled the usb controller as i suspected it may
have injected
itself there somehow. i couldnt confirm that as i'm not much into windows
low level operations.
just thought i'd leave a note as it *may* be of use. as i only have this one
infected test
system i could not verify it on other computers.
all that couldnt be removed still was the registry entry. updates may follow
on that.
hope this helps the people that are infected till the AV vendors catch up on
this.
Nothing detected it Panda titanium AV 2006 and McAfee didnt detect it nor
Microsoft AntiSpyware etc.
UnHackMe detected it as HackerDefender Rootkit but was unable to remove it,
so it might be
a mutation.
2000 sp4.
It is a kernel resident infector as it installs itself as hidden device
driver operating in kernel level
to hide its directories and programs aswell as network connections.
For our research we named it Win32/McSport-A.
Here are the notes we saved along with our own removal strategy, which is
not a clean way, but does work.
(The following notes are from our researcher who removed it)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCSPORT
this entry points to /winnt/system32/drivers/usb42prt.sys on windows 2000.
$programs directory/Padgvox is hidden.
in that directory is a subdirectory called "Cache" which had 1,6 GB
of files which seemed to be sniffer logs.
Files in this directory:
AI_11-11-2005.log
AI_13-11-2005.log
AI_15-11-2005.log
AI_17-11-2005.log
WinGenerics.dll
data.bin
iesmpapi.exe
AI_12-11-2005.log
AI_14-11-2005.log
AI_16-11-2005.log
ace.dll
hidrfnet.exe
(if you boot into recovery console from windows cd, you wont be able to
access it)
on startup ntvdm.exe is launched and right after that, iesmpapi.exe
and pmsledit.exe which are hidden from the process list.
pmsledit was in /winnt/system32.
in device manager, even if hidden devices are made visible, the
device mcsport is hidden and could only be seen after all the launch programs
couldnt be started anymore.
removal:
after messing around with some software trying to remove the rootkit,
i decided to get a linux livecd (i used linuxdefender live as it has ntfs
write support)
and delete the files from there. after doing that and rebooting into windows
strangely
the files appeard again, so i went back into linux and just shredded the
files with the
"shred" command. after booting into windows once again it couldnt launch
anymore and i
was able to view the hidden device, deaktivate and remove it.
i should also note that i disabled the usb controller as i suspected it may
have injected
itself there somehow. i couldnt confirm that as i'm not much into windows
low level operations.
just thought i'd leave a note as it *may* be of use. as i only have this one
infected test
system i could not verify it on other computers.
all that couldnt be removed still was the registry entry. updates may follow
on that.
hope this helps the people that are infected till the AV vendors catch up on
this.
Nothing detected it Panda titanium AV 2006 and McAfee didnt detect it nor
Microsoft AntiSpyware etc.
UnHackMe detected it as HackerDefender Rootkit but was unable to remove it,
so it might be
a mutation.