- presence of the file %windir%\System32\Drivers\QuSiRav.sys
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This small rootkit driver may came bundled inside any malware. Its main purpose is to kill any AV that can't be normally terminated from user mode (especially AV's that have a self-protection driver).
When loaded, the driver will register as a device under the name \\Device\\GanDiao. A user mode application will then be able to use this driver to kill any process.
First, it will issue a DeviceIOControl request, passing among others, 0x88888888 as a I/O control code and the PID of the targeted process. The rootkit will lookup the process' EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors.