Subscribe to RSS feeds


Jan10
by Edgardo Diaz, Jr. (Threats Analyst)

Aside from the MBR rootkit, TrendLabs researchers have come across another rootkit that hides ports.

We’ve discovered a rootkit file that is able to hook TCPIP.SYS and related functions inside.

It is able to hide the following ports:

DestinationPort>3000 OR (DestinationPort<1000 AND DestinationPort!=80 AND DestinationPort!=25)

These are being used in the infect machine. The said malware, TROJ_ROOTKIT.DU, was indirectly included in the TROJ_PUSHDO.AD, TROJ_PUSHDO.AR (eCard), and WORM_NUWAR.EN (spam mail) package. Upon executing the aforementioned package, the malware downloads the said TROJ_ROOTKIT.DU as a rootkit component to add stealth to the said malware families.

Here are screenshots:



This entry was posted on Thursday, January 10th, 2008 at 5:24 am and is filed under Malware . Responses are closed, but you can trackback from your own site.



Comments are closed.


A Tangled Web…of Malware
First iPhone Nuisance App: Created By A Pre-Teen


 
TrendWatch Hijack This Security Tips for Consumers
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
Glossary of Threat Terms

 
© Copyright 2008 Trend Micro Inc. All rights reserved. Legal Notice