日志

Gregoryg.net Information about the RookIE Trojan

已有 1034 次阅读2010-10-22 20:42 |个人分类:电脑技术|

来自美国的专家U盘上带下来这么一个病毒，My God，害得我重装系统，国内似乎没有发现如何处理这种病毒的方法。
The following is information about the latest variant of the trojan/malware labled RookIE by Snort IDS.
What we have learned so far is that RookIE and the associated malware will copy itself to any media mounted on the infected system. On my test system it created the following files:

autorun.inf

d9c.bat which is executed by autorun.inf

l6w2eaih.exe

This enables it to reinfect a cleaned computer as well as automatically infect any system which has autorun enabled upon mounting of the drive if the user mounting the drive is logged in with a privileged account. It apparently has no effect when a drive is mounted via an unprivileged account.
I've determined there are at least two ways to detect if this version of the RookIE trojan is infecting a system, once rooted antivirus is useless.

What really gives it away is the fact the RookIE rootkit will keep reselecting the "Hide protected operating system files radio button" in Tools > Folder Options > View after you have deselected it and closed the windows

Also, immediately on install of this variant of the RookIE rookit via autorun, the trojan will attempt to contact 60.217.58.86 on port 80 though this appears unique per install as it contacts other hosts on other infected systems

The RookIE rootkit made the following changes on my test system:
Added to system

C:\autorun.inf

C:\d9c.bat

C:\WINDOWS\System32 mdfgds0.dll

C:\WINDOWS\System32\olhrwef.exe

It modified

C:\WINDOWS\System32\drivers\cdaudio.sys (The write time for this file)

It added

C:\WINDOWS\System32\dllcache\cdaudio.sys

Registry Modifications include

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|cdoosoft

Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys