Trojan.Looksky.A
VERY LOW
VERY LOW
4096
()
Symptoms
A DLL "comdlg64.dll" loaded in the address space of winlogon.exe process.
A mutex "free_handlers".
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Marusceac Claudiu Florin, virus researcher
Technical Description:
Trojan.Looksky.A is a DLL which is an user level rootkit.
It hooks a number of APIs from ntdll.dll: NtResumeThread, NtQuerySystemInformation, NtEnumerateValueKey and NtQueryDirectoryFile in order to hide a process, a registry key and a file which contains "spoolsvv" string in name.
It injects some code in the winlogon.exe process, which loads a DLL with the name "comdlg64.dll".
It exports 2 funtions: "hide__" and "un_hide__", the "hide__" does the hooking (beside the main DLL entry), and the "un_hide__" restores the hooks.
It creates a mutex named "free_handlers", during the restoration of the hooks.
SHARE
THIS ON