Rootkit.Win32.Agent.ea

par **Malekal_morte** » 22 mai 2007 20:59

Rootkit.Win32.Agent.ea est un rootkit kernel-mode.
Le nom du service et du driver est aléatoires ex :
Fyq16.sys
Ctvc16.sys
Fyq16.sys
Wswc11.sys

Note le nom du service et du driver peut-être différents.
Par exemple un service Nla32 chargeant le driver Nje32.sys
Ces deux éléments étants invisibles :
HKLM\SYSTEM\CurrentControlSet\Services\Nla32
C:\WINDOWS\system32\Nje32.sys

Les fichiers à l'origine de l'installation du rootkits :
609x.exe
b_1_.exe
mad.exe

Scan Rootkit

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\Nla32

scanning hidden autostart entries ...

scanning hidden files ...
C:\WINDOWS\system32\Nje32.sys 155648 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 1

Les scans des fichiers

Complete scanning result of "609x.exe", received in VirusTotal at 05.19.2007, 18:51:42 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.16.1 05.18.2007 no virus found
AntiVir 7.4.0.23 05.18.2007 no virus found
Authentium 4.93.8 05.18.2007 no virus found
Avast 4.7.997.0 05.18.2007 no virus found
AVG 7.5.0.467 05.19.2007 no virus found
BitDefender 7.2 05.19.2007 no virus found
CAT-QuickHeal 9.00 05.18.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 05.19.2007 no virus found
DrWeb 4.33 05.19.2007 no virus found
eSafe 7.0.15.0 05.17.2007 no virus found
eTrust-Vet 30.7.3644 05.19.2007 no virus found
Ewido 4.0 05.19.2007 no virus found
FileAdvisor 1 05.19.2007 no virus found
Fortinet 2.85.0.0 05.19.2007 suspicious
F-Prot 4.3.2.48 05.18.2007 no virus found
F-Secure 6.70.13030.0 05.18.2007 no virus found
Ikarus T3.1.1.7 05.19.2007 no virus found
Kaspersky 4.0.2.24 05.19.2007 no virus found
McAfee 5034 05.18.2007 no virus found
Microsoft 1.2503 05.19.2007 no virus found
NOD32v2 2277 05.18.2007 no virus found
Norman 5.80.02 05.18.2007 no virus found
Panda 9.0.0.4 05.19.2007 Suspicious file
Prevx1 V2 05.19.2007 no virus found
Sophos 4.17.0 05.18.2007 no virus found
Sunbelt 2.2.907.0 05.17.2007 no virus found
Symantec 10 05.19.2007 no virus found
TheHacker 6.1.6.118 05.18.2007 no virus found
VBA32 3.12.0 05.18.2007 no virus found
VirusBuster 4.3.7:9 05.19.2007 no virus found
Webwasher-Gateway 6.0.1 05.18.2007 Win32.Malware.gen!84 (suspicious)

Aditional Information
File size: 1641 bytes
MD5: 037ff74b938a95c58729319ba7a1128c
SHA1: a7e1549a962dd83eb0a3290d50afc30f154a36c6

Complete scanning result of "Fyq16.sys", received in VirusTotal at 03.07.2007, 13:56:07 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.38 03.07.2007 TR/RKit.Agent.EA.2
Authentium 4.93.8 03.06.2007 no virus found
Avast 4.7.936.0 03.07.2007 no virus found
AVG 7.5.0.447 03.07.2007 no virus found
BitDefender 7.2 03.07.2007 no virus found
CAT-QuickHeal 9.00 03.06.2007 no virus found
ClamAV devel-20060426 03.07.2007 no virus found
DrWeb 4.33 03.07.2007 no virus found
eSafe 7.0.14.0 03.06.2007 no virus found
eTrust-Vet 30.6.3461 03.07.2007 no virus found
Ewido 4.0 03.07.2007 Rootkit.Agent.ea
FileAdvisor 1 03.07.2007 no virus found
Fortinet 2.85.0.0 03.07.2007 no virus found
F-Prot 4.3.1.45 03.06.2007 no virus found
F-Secure 6.70.13030.0 03.07.2007 Rootkit.Win32.Agent.ea
Ikarus T3.1.1.3 03.07.2007 no virus found
Kaspersky 4.0.2.24 03.07.2007 Rootkit.Win32.Agent.ea
McAfee 4978 03.06.2007 no virus found
Microsoft 1.2204 03.07.2007 no virus found
NOD32v2 2100 03.07.2007 no virus found
Norman 5.80.02 03.06.2007 no virus found
Panda 9.0.0.4 03.07.2007 no virus found
Prevx1 V2 03.07.2007 no virus found
Sophos 4.15.0 03.07.2007 no virus found
Sunbelt 2.2.907.0 03.05.2007 no virus found
Symantec 10 03.07.2007 no virus found
TheHacker 6.1.6.070 03.06.2007 no virus found
UNA 1.83 03.06.2007 no virus found
VBA32 3.11.2 03.07.2007 no virus found
VirusBuster 4.3.19:9 03.06.2007 no virus found

Aditional Information
File size: 137728 bytes
MD5: 173eba040f82b1bef12708a246ec43cf
SHA1: 651bfe84ec04fee18896df9bf6ffe7660bb3152f

FINISHEDComplete scanning result of "b_1_.exe", received in VirusTotal at 04.11.2007, 01:30:49 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.10.0 04.10.2007 no virus found
AntiVir 7.3.1.50 04.10.2007 TR/Crypt.XDR.Gen
Authentium 4.93.8 04.09.2007 W32/Dropper.gen6
Avast 4.7.936.0 04.10.2007 no virus found
AVG 7.5.0.447 04.11.2007 no virus found
BitDefender 7.2 04.11.2007 Dropped:Rootkit.Agent.CI
CAT-QuickHeal 9.00 04.10.2007 no virus found
ClamAV devel-20070312 04.11.2007 no virus found
DrWeb 4.33 04.11.2007 Trojan.MulDrop.5866
eSafe 7.0.15.0 04.10.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3557 04.10.2007 no virus found
Ewido 4.0 04.10.2007 no virus found
FileAdvisor 1 04.11.2007 no virus found
Fortinet 2.85.0.0 04.10.2007 suspicious
F-Prot 4.3.1.45 04.11.2007 W32/Dropper.gen6
F-Secure 6.70.13030.0 04.10.2007 Rootkit.Win32.Agent.ea
Ikarus T3.1.1.5 04.10.2007 no virus found
Kaspersky 4.0.2.24 04.11.2007 Rootkit.Win32.Agent.ea
McAfee 5005 04.10.2007 no virus found
Microsoft 1.2405 04.10.2007 no virus found
NOD32v2 2178 04.10.2007 no virus found
Norman 5.80.02 04.10.2007 W32/Rootkit.AAD.dropper
Panda 9.0.0.4 04.11.2007 Suspicious file
Prevx1 V2 04.11.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.11.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.10.2007 no virus found
VirusBuster 4.3.7:9 04.10.2007 no virus found
Webwasher-Gateway 6.0.1 04.10.2007 Trojan.Crypt.XDR.Gen