Safety 101: Viruses and solutions

 
 
 

How to detect and remove unknown rootkits

Back to "Viruses and solutions"
2013 Aug 28 ID: 5353
 
 
 
 
­A rootkit is a program or a program kit that hides the presence of malware in the system.

A rootkit for Windows systems is a program that penetrates into the system and intercepts the system functions (Windows API). It can effectively hide its presence by intercepting and modifying low-level API functions. Moreover it can hide the presence of particular processes, folders, files and registry keys. Some rootkits install its own drivers and services in the system (they also remain “invisible”).

Kaspersky Lab has developed the TDSSKiller utility that that detects and removes both, known (TDSS, Sinowal, Whistler, Phanta, Trup, Stoned) and unknown rootkits.   List of malicious programs 

Backdoor.Win32.Phanta.a,b; Backdoor.Win32.Sinowal.knf,kmy; Backdoor.Win32.Trup.a,b; Rootkit.Boot.Aeon.a; Rootkit.Boot.Backboot.a; Rootkit.Boot.Batan.a; Rootkit.Boot.Bootkor.a; Rootkit.Boot.Cidox.a,b; Rootkit.Boot.Clones.a; Rootkit.Boot.CPD.a,b; Rootkit.Boot.Fisp.a; Rootkit.Boot.Geth.a; Rootkit.Boot.Goodkit.a; Rootkit.Boot.Harbinger.a; Rootkit.Boot.Krogan.a; Rootkit.Boot.Lapka.a; Rootkit.Boot.MyBios.b; Rootkit.Boot.Nimnul.a; Rootkit.Boot.Pihar.a,b,c; Rootkit.Boot.Plite.a; Rootkit.Boot.Prothean.a; Rootkit.Boot.Qvod.a; Rootkit.Boot.Smitnyl.a; Rootkit.Boot.SST.a,b; Rootkit.Boot.SST.b; Rootkit.Boot.Wistler.a; Rootkit.Boot.Xpaj.a; Rootkit.Boot.Yurn.a; Rootkit.Win32.PMax.gen; Rootkit.Win32.Stoned.d; Rootkit.Win32.TDSS; Rootkit.Win32.TDSS.mbr; Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k; Trojan-Clicker.Win32.Wistler.a,b,c; Trojan-Dropper.Boot.Niwa.a; Trojan-Ransom.Boot.Mbro.d,e; Trojan-Ransom.Boot.Mbro.f; Trojan-Ransom.Boot.Siob.a; Virus.Win32.Cmoser.a; Virus.Win32.Rloader.a; Virus.Win32.TDSS.a,b,c,d,e; Virus.Win32.Volus.a; Virus.Win32.ZAccess.k; Virus.Win32.Zhaba.a,b,c.


 

IMPORTANT

  • The utility has a graphical interface.
  • The utility supports

    32-bit operation systems: MS Windows XP SP2, MS Windows XP SP3, MS Windows Vista, MS Windows Vista SP1, MS Windows Vista SP2, MS Windows 7, MS Windows 7 SP1,  Microsoft Windows Server 2003 R2 Standard / Enterprise SP2, Microsoft Windows Server 2003 Standard / Enterprise SP2, Microsoft Windows Server 2008 Standard / Enterprise SP2. 
    and 
    64-bit operation systems
    : MS Windows XP SP2, MS Windows XP SP3, MS Windows Vista, MS Windows Vista SP1, MS Windows Vista SP2, MS Windows 7, MS Windows 7 SP1, Microsoft Windows Server 2008 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2003 R2 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2003 Standard / Enterprise x64 Edition SP2, Microsoft Windows Server 2008 R2 Standard / Enterprise x64 Edition SP0 or higher.
  • The utility can be run in Normal Mode and Safe Mode.
How to disinfect a compromised system
  • Download the TDSSKiller.exe file on the infected (or possibly infected) computer.
  • Run the TDSSKiller.exe file.
  • The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.
  • The utility can detect the following suspicious objects:

    • Hidden service – a registry key that is hidden from standard listing;
    • Blocked service – a registry key that cannot be opened by standard means;
    • Hidden file – a file on the disk that is hidden from standard listing;
    • Blocked file – a file on the disk that cannot be opened by standard means;
    • Forged file – when read by standard means, the original content is returned instead of the actual one;
    • Rootkit.Win32.BackBoot.gen – a suspected MBR infection with an unknown bootkit.

It is highly probable that such anomalies in the system are a result of the rootkit activity. But can also be a trace of some legitimate software.

  • In order to perform a further analysis, you should quarantine detected object using the Copy to quarantine option. The file will not be deleted in this case
  • Send the saved file(s) either to the Virus Lab or to VirusTotal.com for scanning.
  • If the detailed analysis proves that the objects are malicious indeed, you can do the following:

    • delete them by selecting the Delete option;
    • or restore the MBR (in case the problem is with the MBR) by selecting the Restore option.
A reboot might require after the disinfection has been completed.

Command line keys for the TDSSKiller.exe utility:

-l <file_name> - save a log into the file. Can now point to paths not existing at the moment of executing the command. The utility will create corresponding folders automatically.

-qpath <folder_path> - quarantine folder path (automatically created if it does not exist);
-h – this help;
-sigcheck – detect all not signed drivers as suspicious;

InformationThe utility will detected unsigned and having an invalid signature drivers. This does not mean that those file are surely infected. Such drivers are detected as <unsigned file>. If you suspect that such a file is infected, please send it to the Kaspersky Virus Lab for analysis.


-tdlfs – detect the TDLFS file system, that the TDL 3 / 4 rootkits create in the last sectors of a hard disk for storing its files. It is possible to quarantine all these files.

The following keys allow to execute the utility in the silent mode:
-qall – quarantine all objects (including clean ones);
-qsus – quarantine suspicious objects only;
-qboot - save copies of all boot sectors
-qmbr – save copies of MBRs;
-qcsvc <service_name> - quarantine the service;
-dcsvc <service_name> - delete the service;
-silent – scan in silent mode (do not display any windows) to be able to run the utility in a centralized way over the network;
-dcexact - automatic detect / cure of known threats.
For example, the following command tells the utility to scan the computer, and save a detailed log into the report.txt file (created in the TDSSKiller.exe utility folder):
TDSSKiller.exe -l report.txt

 
 
 
 
Did the provided info help you?
Yes No