Rootkit.Indag.A
SYMPTOMS: - presence of the file %windir%\System32\Drivers\QuSiRav.sysTECHNICAL DESCRIPTION: This small rootkit driver may came bundled inside any malware. Its main purpose is to kill any AV that can't be normally terminated from user mode (especially AV's that have a self-protection driver).When loaded, the driver will register as a device under the name \\Device\\GanDiao. A user mode application will then be able to use this driver to kill any process. First, it will issue a DeviceIOControl request, passing among others, 0x88888888 as a I/O control code and the PID of the targeted process. The rootkit will lookup the process' EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Lutas Andrei Vlad, virus researcher |
