Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.Ntldrbot

(TR/Dropper.Gen, TROJ_AGENT.ABDX, Malware-Cryptor.Win32.General.3, W32/Virut.Z, Trojan-Downloader.Win32.Agent.ddl, Virus.Win32.Rustock.a, Win32.Klest.A.Gen, Virus:Win32/Cekar.H, Downloader.Agent.RXM, Trojan-Downloader.Win32.Agent.mqf, Trojan.Agent.ABRR, Win32.Ntldrbot.A, Backdoor.Rustock.NDL, TrojanDropper:Win32/Rustock, Generic.dx, RTKT_AGENT.APAT, W32/Downloader.AL, TROJ_GEN.0Z0213S, Trojan.Generic.47662, Spamtool.Win32.Rustock.C, TROJ_Generic.DIS)

Added to the Dr.Web virus database: 2008-05-06

Virus description added:

News on Win32.Ntldrbot
Article on Win32.Ntldrbot

Virus Type: Malware, which spreads spam

Affected OS: Win NT-based

Size: 158K up to 424K

Technical Information

  • Sophisticated polymorphic self-protection of the rootkit makes its extraction and analysis extremely difficult.
  • Implemented as a driver, it runs on the lowest kernel level.
  • Has a self-protect function, prevents runtime changes.
  • Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of the kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
  • Intercepts the following system functions using non-standard method, such as:

    NtCreateThread
    NtDelayExecution
    NtDuplicateObject
    NtOpenThread
    NtProtectVirtualMemory
    NtQuerySystemInformation
    NtReadVirtualMemory
    NtResumeThread
    NtTerminateProcess
    NtTerminateThread
    NtWriteVirtualMemory

  • Functions as a file-virus and infects system drivers.
  • A particular sample of the rootkit becomes adjusted to the hardware of an infected machine and most likely won’t run on another computer.

  • Utilizes time-triggered re-infection feature. An old infected file is cured. So the rootkit «wonders» through system drivers infecting only one at a time.
  • Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
  • Features anti-rootkit protection.
  • Injects its library (DLL) to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.

System recovery recommendations

1. Disconnect your computer from local network and Internet.
2. Download Dr.Web CureIt! from known-pure computer which has an access to Internet.
3. Scan affected computer with Dr.Web CureIt!. Do action "Cure" for infected objects.