hacktool.rootkit
in [Windows Viruses]
|
Prev: HotPOP.com infected
Next: locate.exe
From: cquirke (MVP Windows shell/user) on 22 Oct 2005 16:37 On Sat, 22 Oct 2005 12:12:47 GMT, Jeremy Pollard <jeremy.pollard(a)uwe.ac.uk> wrote: >Standard antivirus software packages such as Norton and McAfee are >unable to find many types of rootkit, because of the way rootkits work. Also because the way these antivirus programs work - they are running from within the infected code base, so there's a limit to how effective they can be expected to be. >Rootkit revealer works differently to these antivirus packages and is >much more likely to find this type of malware. Its freeware and is one >of the only tools that can detect the types of rootkits which standard >antivirus software cannot. There's also F-Secure's Blacklight Beta, which is easier to use and more of an editorializing scanner (either "you have a rootkit" or "you do not have a rootkit") whereas RKR is more like hiJackThis; it simply lists the anomaties it finds, and it's up to you to decide how you intend to interpret the results and proceed from there. Once rootkits are not running, they become just another file (or collection of files) that the scanner can examine. So another approach to rootkits is to us antivirus scanners that are run from an uninfected OS, such as a Bart CDR boot. >It may be worth running rootkit revealer, just to check whether your >antivirus software has missed anything. Here's the link: >http://www.sysinternals.com/Utilities/RootkitRevealer.html So far, I've not seen rootkits found by RKR or Blacklight, though I've seen plenty of malware named "rootkit" this and "rootkit" that when formally scanning (i.e. running av scanners from non-HD boot). The general rule: - run "static" file scanners and integration checkers formally - run "live" behavior checkers from within the infected OS Scanners like antivirus, AdAware etc. and integration checkers like HiJackThis fall into the first category, and rootkit detectors and process watchers fall into the second. It can be hard do determine which category some tools fall into, such as service listers; are they listing "live" services, or enumerations from CurrentControlSet etc.? Also, anything that reads the registry or other settings files, has to know to look to the inactive settings files on the HD, and not the "live" ones in effect, if you are running these tools formally (i.e. without booting any infected code off the HD) - otherwise they will be operating on the wrong material, and will be misleading. See... http://www.nu2.nu/pebuilder/ ....and... http://www.paraglidernc.com/RunScanner.html ....on building a bootable maintenance OS (Bart PE Builder), and equipping this OS with support for "transparent" access to inactive HD registry hives (RunScanner plugin for Bart), respectively. >-------------------- ----- ---- --- -- - - - - Tip Of The Day: To disable the 'Tip of the Day' feature... >-------------------- ----- ---- --- -- - - - -
From: easyone on 23 Oct 2005 08:15 I've found after Norton Update 19/10/05, when I try to open Tweak XP with Norton enabled , it stops me with a High Risk Virus warning - 'The file C:\wimdows\system32\SVKP.sys is infected with the Hacktool.Rootkit virus'. When Norton is disabled I can open Tweak File Shredder without the virus warning. Looked on the internet to see what SVKP is. It is SVK Protector a security software used by others legitimately. I've got a feeling the SVKP files are used by Tweak as with other software. Norton recognizes the SVKP.sys file and assumes it is a virus. When I uninstalled Tweak the SVKP file on my computer dissapperared and OK. Then on reinstalling it appears. My computer is running allright from what I see. If this is the case hopefully it relieves others and myself of the worry of the Hacktool.rootkit virus. Much appreciate if others could comment. Tony
From: Shawn E. Hale on 23 Oct 2005 08:35 Interesting but I am not seeing that here. I read conflicting info on that SVKP.sys file - sometimes it is good and sometimes not. I am using TweakUI 2.10 for XP on 3 computers (including the one that had the original problem that started this thread). The others did not have any SVKP files or registry entries - only the one with the reported problem. I removed the SVKP.sys file and registry entries on the original computer and Tweak runs fine on it still. I am not using the File Shredder Tweak though. I am pretty sure though that the definitions in that 10/19 Norton download is the problem though. If you look at what was added in that definition package, there is a reference to SVKP.sys in the W32.loxbot.A description. <easyone(a)onetel.com> wrote in message news:1130069708.019633.48260(a)g14g2000cwa.googlegroups.com... > I've found after Norton Update 19/10/05, when I try to open Tweak XP > with Norton enabled , it stops me with a High Risk Virus warning - 'The > file C:\wimdows\system32\SVKP.sys is infected with the Hacktool.Rootkit > virus'. When Norton is disabled I can open Tweak File Shredder without > the virus warning. > > Looked on the internet to see what SVKP is. It is SVK Protector a > security software used by others legitimately. > > I've got a feeling the SVKP files are used by Tweak as with other > software. Norton recognizes the SVKP.sys file and assumes it is a > virus. When I uninstalled Tweak the SVKP file on my computer > dissapperared and OK. Then on reinstalling it appears. > > My computer is running allright from what I see. > > If this is the case hopefully it relieves others and myself of the > worry of the Hacktool.rootkit virus. > > Much appreciate if others could comment. > > Tony >
From: David H. Lipman on 23 Oct 2005 09:04 From: "Shawn E. Hale" <SEHaleNOSPAM1(a)comcast.net> | Interesting but I am not seeing that here. I read conflicting info on that | SVKP.sys file - sometimes it is good and sometimes not. I am using TweakUI | 2.10 for XP on 3 computers (including the one that had the original problem | that started this thread). The others did not have any SVKP files or | registry entries - only the one with the reported problem. I removed the | SVKP.sys file and registry entries on the original computer and Tweak runs | fine on it still. I am not using the File Shredder Tweak though. I am | pretty sure though that the definitions in that 10/19 Norton download is the | problem though. If you look at what was added in that definition package, | there is a reference to SVKP.sys in the W32.loxbot.A description. That's right. One can NOT simply go by a file name. It is often the objective to use the name of a legitimate file to obfuscate the its malicious purpose. Please submit a sample of any suspicious file to Virus Total -- http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition, unless told otherwise, Virus Total will provide the sample to all participating vendors. When you get the report, please post back the exact results. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: easyone on 23 Oct 2005 12:35
David H. Lipman wrote: > From: "Shawn E. Hale" <SEHaleNOSPAM1(a)comcast.net> > > | Interesting but I am not seeing that here. I read conflicting info on that > | SVKP.sys file - sometimes it is good and sometimes not. I am using TweakUI > | 2.10 for XP on 3 computers (including the one that had the original problem > | that started this thread). The others did not have any SVKP files or > | registry entries - only the one with the reported problem. I removed the > | SVKP.sys file and registry entries on the original computer and Tweak runs > | fine on it still. I am not using the File Shredder Tweak though. I am > | pretty sure though that the definitions in that 10/19 Norton download is the > | problem though. If you look at what was added in that definition package, > | there is a reference to SVKP.sys in the W32.loxbot.A description. > > That's right. One can NOT simply go by a file name. It is often the objective to use the > name of a legitimate file to obfuscate the its malicious purpose. > > > Please submit a sample of any suspicious file to Virus Total -- > http://www.virustotal.com/flash/index_en.html > The submission will then be tested against many different AV vendor's scanners. > That will give you an idea what it is and who recognizes it. In addition, unless told > otherwise, Virus Total will provide the sample to all participating vendors. > > When you get the report, please post back the exact results. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm David Thanks for your suggestion of Virus Total - their reply below: Results of a file scan This is a report processed by VirusTotal on 10/23/2005 at 17:01:44 (CET) after scanning the file "SVKP.sys.zip" file. Antivirus Version Update Result AntiVir 6.32.0.6 10.22.2005 no virus found Avast 4.6.695.0 10.21.2005 no virus found AVG 718 10.21.2005 no virus found Avira 6.32.0.6 10.22.2005 no virus found BitDefender 7.2 10.22.2005 no virus found CAT-QuickHeal 8.00 10.22.2005 no virus found ClamAV devel-20050917 10.21.2005 no virus found DrWeb 4.32b 10.23.2005 no virus found eTrust-Iris 7.1.194.0 10.23.2005 no virus found eTrust-Vet 11.9.1.0 10.21.2005 no virus found Fortinet 2.48.0.0 10.22.2005 no virus found F-Prot 3.16c 10.20.2005 no virus found Ikarus 0.2.59.0 10.21.2005 no virus found Kaspersky 4.0.2.24 10.23.2005 no virus found McAfee 4610 10.21.2005 no virus found NOD32v2 1.1263 10.21.2005 no virus found Norman 5.70.10 10.21.2005 no virus found Panda 8.02.00 10.23.2005 no virus found Sophos 3.98.0 10.22.2005 no virus found Symantec 8.0 10.22.2005 no virus found TheHacker 5.8.4.127 10.21.2005 no virus found VBA32 3.10.4 10.23.2005 Virtool.SVKProtector Hope some help. Grateful if you would advice what I should do with VBA32 Thanks a lot Tony |