Virus library
Knowledge database

Win32.Ntldrbot

(TR/Crypt.XPACK.Gen, Parser error, Downloader.Agent.RXM, Downloader.gen.a, Trojan-Downloader.Win32.Agent.mqf, TROJ_AGENT.ABDX, Win32.Ntldrbot.A, Trojan.Agent.ABRR, Backdoor.Rustock.NDL, TrojanDropper:Win32/Rustock, Generic.dx, W32/Virut.m, RTKT_AGENT.APAT, Trojan-Downloader.Win32.Agent.ddl, W32/Downloader.AL, Spamtool.Win32.Rustock.C, Trojan.Generic.47662)

Added to Dr.Web virus database:2008-05-06 12:01:49

News on Win32.Ntldrbot
Article on Win32.Ntldrbot

Virus Type: Malware, which spreads spam

Affected OS: Win NT-based

Size: 158K up to 424K

Technical Information

  • Sophisticated polymorphic self-protection of the rootkit makes its extraction and analysis extremely difficult.

  • Implemented as a driver, it runs on the lowest kernel level.

  • Has a self-protect function, prevents runtime changes.

  • Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of the kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.

  • Intercepts the following system functions using non-standard method, such as:

    NtCreateThread
    NtDelayExecution
    NtDuplicateObject
    NtOpenThread
    NtProtectVirtualMemory
    NtQuerySystemInformation
    NtReadVirtualMemory
    NtResumeThread
    NtTerminateProcess
    NtTerminateThread
    NtWriteVirtualMemory

  • Functions as a file-virus and infects system drivers.

    • A particular sample of the rootkit becomes adjusted to the hardware of an infected machine and most likely won’t run on another computer.

  • Utilizes time-triggered re-infection feature. An old infected file is cured. So the rootkit «wonders» through system drivers infecting only one at a time.

  • Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.

  • Features anti-rootkit protection.

  • Injects its library (DLL) to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.

System recovery recommendations

1. Disconnect your computer from local network and Internet.
2. Download Dr.Web CureIt! from known-pure computer which has an access to Internet.
3. Scan affected computer with Dr.Web CureIt!. Do action "Cure" for infected objects.

System recover recommendations

  1. Reboot Windows in Safe Mode.
  2. Use Dr.Web® scanner of free curing utility Dr.Web® CureIT! to scan local drives. The “Cure” action should be applied for all infected files.
  3. Restore registry from the backup copy.

Important! Before following these recommendations you should set up the mail client you use so that it stores attachments as separate files and not in the body of the database. For example, such storage in TheBat! is enabled as follows: Account — Properties — Files & Directories — Keep attachment files — Separately in a special directory.
Last updated: 2010-03-13 23:04:59 MSK
Total records in virus database: 1128542

Top virus chart

Trojan.DownLoad.4155114.16%
Trojan.DownLoad.3723612.40%
Trojan.DownLoad.472569.15%
Trojan.Botnetlog.zip6.61%
Trojan.MulDrop.408966.46%

Search in virus database

Company | News&Events | Send a virus | Online scanner | Privacy policy | Site map More www-resources:
www.av-desk.com
www.freedrweb.com
www.drweb-curenet.com		 pda.drweb.com
estore.drweb.com

Doctor Web ©
2003 — 2010

Doctor Web is a Russian IT-security solutions vendor. Dr.Web anti-virus software has been developed since 1992. The leader on the Russian IT security services market, Doctor Web has been the first vendor that offered an anti-virus as a service in Russia. The company also offers proven anti-virus and anti-spam solutions for businesses, government entities, and personal use. We have a solid record of detecting malicious programs, and we adhere to all international security standards. Doctor Web has received numerous certificates and awards; our satisfied customers spanning the globe are clear evidence of the complete trust customers have in our products.