My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Rootkit.Indag.A

LOW
MEDIUM
1920 B

Symptoms

- presence of the file %windir%\System32\Drivers\QuSiRav.sys

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This small rootkit driver may came bundled inside any malware. Its main purpose is to kill any AV that can't be normally terminated from user mode (especially AV's that have a self-protection driver).

When loaded, the driver will register as a device under the name \\Device\\GanDiao.  A user mode application will then be able to use this driver to kill any process.

First, it will issue a DeviceIOControl request, passing among others, 0x88888888 as a I/O control code and the PID of the targeted process. The rootkit will lookup the process' EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors.