Rootkit.Indag.A
LOW
MEDIUM
1920 B
()
Symptoms
- presence of the file %windir%\System32\Drivers\QuSiRav.sys
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Lutas Andrei Vlad, virus researcher
Technical Description:
This small rootkit driver may came bundled inside any malware. Its main purpose is to kill any AV that can't be normally terminated from user mode (especially AV's that have a self-protection driver).
When loaded, the driver will register as a device under the name \\Device\\GanDiao. A user mode application will then be able to use this driver to kill any process.
First, it will issue a DeviceIOControl request, passing among others, 0x88888888 as a I/O control code and the PID of the targeted process. The rootkit will lookup the process' EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors.
SHARE
THIS ON