hacktool.rootkit
in [Windows Viruses]
|
Prev: HotPOP.com infected
Next: locate.exe
From: cquirke (MVP Windows shell/user) on 23 Oct 2005 19:04 On Sun, 23 Oct 2005 08:35:47 -0400, "Shawn E. Hale" >I read conflicting info on that SVKP.sys file - sometimes it is good >and sometimes not. I am using TweakUI 2.10 for XP on 3 >computers (including the one that had the original problem >that started this thread). The others did not have any SVKP files or >registry entries - only the one with the reported problem. I removed the >SVKP.sys file and registry entries on the original computer and Tweak runs >fine on it still. I am not using the File Shredder Tweak though. There are some sites that will scan files submitted for assessment (as opposed to dropping a bot on your PC to scan yout whole PC online, which isn't such a good idea IMO). Why not submit the SVKP.sys file for assessment, after first checking to see if it has an ADS attached? The "ADS" bit is because ADSare NTFS-specific, and may be left behind when you submit the file. A hostile ADS attached to a legit file will generally be reported as the legit file by firewalls, Task Manager etc. and is something you want to know about. ADS malware's not rare anymore - I had 100 to 200 of the blighters of the NTFS-afflicted laptop I'm cleaning up at the moment. >--------------- ----- ---- --- -- - - - Tech Support: The guys who follow the 'Parade of New Products' with a shovel. >--------------- ----- ---- --- -- - - -
From: Shawn E. Hale on 24 Oct 2005 11:34 CORRECTION: I have just realized that Tweak XP is NOT the same as Tweak UI (what I was referring to) and I am seeing that other people are seeing similar results as you when using Tweak XP. My apologies. "Shawn E. Hale" <SEHaleNOSPAM1(a)comcast.net> wrote in message news:ORLzF681FHA.2884(a)TK2MSFTNGP09.phx.gbl... > Interesting but I am not seeing that here. I read conflicting info on that > SVKP.sys file - sometimes it is good and sometimes not. I am using TweakUI > 2.10 for XP on 3 computers (including the one that had the original problem > that started this thread). The others did not have any SVKP files or > registry entries - only the one with the reported problem. I removed the > SVKP.sys file and registry entries on the original computer and Tweak runs > fine on it still. I am not using the File Shredder Tweak though. I am > pretty sure though that the definitions in that 10/19 Norton download is the > problem though. If you look at what was added in that definition package, > there is a reference to SVKP.sys in the W32.loxbot.A description. > > > <easyone(a)onetel.com> wrote in message > news:1130069708.019633.48260(a)g14g2000cwa.googlegroups.com... > > I've found after Norton Update 19/10/05, when I try to open Tweak XP > > with Norton enabled , it stops me with a High Risk Virus warning - 'The > > file C:\wimdows\system32\SVKP.sys is infected with the Hacktool.Rootkit > > virus'. When Norton is disabled I can open Tweak File Shredder without > > the virus warning. > > > > Looked on the internet to see what SVKP is. It is SVK Protector a > > security software used by others legitimately. > > > > I've got a feeling the SVKP files are used by Tweak as with other > > software. Norton recognizes the SVKP.sys file and assumes it is a > > virus. When I uninstalled Tweak the SVKP file on my computer > > dissapperared and OK. Then on reinstalling it appears. > > > > My computer is running allright from what I see. > > > > If this is the case hopefully it relieves others and myself of the > > worry of the Hacktool.rootkit virus. > > > > Much appreciate if others could comment. > > > > Tony > > > >
From: easyone on 24 Oct 2005 16:50 Cquirke Thankyou for your additional comment to those of David Lipman (his were very helpful) re ADS. Reports from submitting the SVKP.sys file were clean. However ADS is new to me, and I had sent the SVKP file without checking for ADS. Grateful if you would tell me briefly what ADS is and how I should check the SVKP file for it. Tony Shawn Thanks for letting us/myself know others have come across the same thing re Tweak XP. Mind you I will if I find out how, check ADS. Tony
From: cquirke (MVP Windows shell/user) on 26 Oct 2005 05:56 On 24 Oct 2005 13:50:24 -0700, easyone(a)onetel.com wrote: >Cquirke Hi! >Grateful if you would tell me briefly what ADS is and how I should >check the SVKP file for it. ADS have several consequences that attract malware interest: - they exist only on NTFS file systems - they are likely lost when transferring files to non-NTFS - Windows Explorer etc. never show ADS as files etc. - av and anti-cm scanners may not scan ADS - non-native OSs hosting formal scanners may miss ADS - code running in an ADS is "seen" as the original file - it's fairly easy to programatically create and write to ADS So in essence, you have something that scanners tend to miss, that's never visible in Windows shell (Explorer), that can hide code that when running will appear (to Task Manager, ?firewall) as the host file process, and that may be left out of malware sample submissions. What's not to like? Only that as at October 2005, there's no way I know of whereby code in an ADS can be run without being explicitly called via other (non-ADS) code or some integration point - which means that scanners can find the points from which the ADS code is run. This is the strand on which ADS malware management hangs. ADS = Alternate Data Streams. In the NTFS file system, the data within a file is in the default "stream" of that file, and is referenced transparently when that file is accessed. It's possible to add non-default (alternate) streams that can be accessed via syntax like this... C:\Some\Path\SomeName..txt:NameOfStream ....which can have interesting wrinkles when the parent file is called "A"with no file name extension. There's no extra directory entry for an ADS, which is why the shell doesn't show them. You have to know what the ADS is called, to access it via the above syntax. The actual contents of the ADS are appended to the default stream's cluster chain. Because there's no directory entry for the ADS content, there's no file name extension or file association limitations, no date stamps, etc. AFAIK material in ADS is not added in when you select files and do a Properties to see the size and disk space used - that's why when I see "where's my HD capacity going??" posts, I'm inclined to wonder about ADS use. You could hide an FTP server full of stuff in ADS. ADS is (or should I say "may be") preserved when copying from one NTFS volume to another, including AFAIK via network. Some NTFS-aware archivers may include them, but how this will be extracted to a non-NTFS file system is anyone's guess. The reason why ADS were added to NTFS was to cope with the Mac OS file system practice of storing "related information" within an extra "fork" of a file's contents. NTFS natively prefers to store such info as metadata within the extended directory entry attributes, but the OS does use ADS natively, e.g. for thumbnails of graphic files. Applications can use ADS too, e.g. Office may store document summary info there, and some antivirus scanners store integrity information within an ADS attached to each code file. My preferred way of managing ADS is to use FATxx instead, which is practical only if you don't need any NTFS features, and if you are using current Windows that still supports FATxx. Using FATxx instead of NTFS kills the ADS problem stone dead. >--------------- ---- --- -- - - - - I'm baaaack! >--------------- ---- --- -- - - - -
From: easyone on 26 Oct 2005 17:11
cquirke Thankyou so much for your detailed explanation of ADS, though I must admit I only understand the jist, as the technical detail is beyond me. Luckily I have A FAT formatted computer - what a relief. ADS's sound scarey. Norton is continuing to warn of the Hacktool.Rootkit virus in the SVKP.sys file. Thankfully to David Lipman and yourself I am wiser and I think I can ignore it. I'll wait a bit to see if Norton adjusts its scan for virus. I can always remove Tweak XP which will take away the SVKP.sys file. Tony |