FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.Ntldrbot

(TR/Dropper.Gen, TROJ_AGENT.ABDX, Malware-Cryptor.Win32.General.3, W32/Virut.Z, Trojan-Downloader.Win32.Agent.ddl, Virus.Win32.Rustock.a, Win32.Klest.A.Gen, Virus:Win32/Cekar.H, Downloader.Agent.RXM, Trojan-Downloader.Win32.Agent.mqf, Trojan.Agent.ABRR, Win32.Ntldrbot.A, Backdoor.Rustock.NDL, TrojanDropper:Win32/Rustock, Generic.dx, RTKT_AGENT.APAT, W32/Downloader.AL, TROJ_GEN.0Z0213S, Trojan.Generic.47662, Spamtool.Win32.Rustock.C, TROJ_Generic.DIS)

Added to the Dr.Web virus database: 2008-05-06

Virus description added:

News on Win32.Ntldrbot
Article on Win32.Ntldrbot

Virus Type: Malware, which spreads spam

Affected OS: Win NT-based

Size: 158K up to 424K

Technical Information

  • Sophisticated polymorphic self-protection of the rootkit makes its extraction and analysis extremely difficult.

  • Implemented as a driver, it runs on the lowest kernel level.

  • Has a self-protect function, prevents runtime changes.

  • Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of the kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.

  • Intercepts the following system functions using non-standard method, such as:

    NtCreateThread
    NtDelayExecution
    NtDuplicateObject
    NtOpenThread
    NtProtectVirtualMemory
    NtQuerySystemInformation
    NtReadVirtualMemory
    NtResumeThread
    NtTerminateProcess
    NtTerminateThread
    NtWriteVirtualMemory

  • Functions as a file-virus and infects system drivers.

    • A particular sample of the rootkit becomes adjusted to the hardware of an infected machine and most likely won’t run on another computer.

  • Utilizes time-triggered re-infection feature. An old infected file is cured. So the rootkit «wonders» through system drivers infecting only one at a time.

  • Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.

  • Features anti-rootkit protection.

  • Injects its library (DLL) to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.

System recovery recommendations

1. Disconnect your computer from local network and Internet.
2. Download Dr.Web CureIt! from known-pure computer which has an access to Internet.
3. Scan affected computer with Dr.Web CureIt!. Do action "Cure" for infected objects.