New virus-rootkit ?

Discussion in 'Computer Security' started by Gmer, May 10, 2006.

  1. Gmer

    Gmer Guest

    Hi.

    I sent this rootkit-virus to VirusTotal .

    VirusTotal report:


    CODE
    STATUS: FINISHED
    Complete scanning result of "cmd.exe_vt100.zip", received in VirusTotal at
    05.06.2006, 08:57:36 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.0.24 04.20.2006 Heuristic/Virus.Win32
    Avast 4.6.695.0 05.05.2006 Win32:Virtob
    AVG 386 05.05.2006 no virus found
    Avira 6.34.1.58 05.05.2006 no virus found
    BitDefender 7.2 05.06.2006 Win32.Virtob.Gen
    CAT-QuickHeal 8.00 05.05.2006 W95.TenRobot.B
    ClamAV devel-20060426 05.05.2006 no virus found
    DrWeb 4.33 05.05.2006 no virus found
    eTrust-InoculateIT 23.72.1 05.06.2006 no virus found
    eTrust-Vet 12.4.2194 05.04.2006 no virus found
    Ewido 3.5 05.05.2006 no virus found
    Fortinet 2.71.0.0 05.06.2006 suspicious
    F-Prot 3.16c 05.05.2006 no virus found
    Ikarus 0.2.65.0 05.05.2006 no virus found
    Kaspersky 4.0.2.24 05.06.2006 Type_Win32
    McAfee 4756 05.05.2006 New Win32
    Microsoft 1.1372 05.06.2006 no virus found
    NOD32v2 1.1523 05.05.2006 no virus found
    Norman 5.90.17 05.05.2006 no virus found
    Panda 9.0.0.4 05.05.2006 no virus found
    Sophos 4.05.0 05.06.2006 no virus found
    Symantec 8.0 05.06.2006 no virus found
    TheHacker 5.9.7.139 05.05.2006 no virus found
    UNA 1.83 05.05.2006 Win32.virus
    VBA32 3.11.0 05.05.2006 no virus found


    Aditional Information
    File size: 109061 bytes
    MD5: 1e0bed4a2c0c9d4bb11a8fb41ba07e8b
    SHA1: 4203774f2fc854364287a289104011d5a5cc2c38

    STATUS: FINISHED
    Complete scanning result of "vt100.zip", received in VirusTotal at
    05.09.2006, 18:30:15 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.27 05.09.2006 Heuristic/Backdoor.Generic
    Avast 4.6.695.0 05.08.2006 Win32:Virtob
    AVG 386 05.09.2006 no virus found
    BitDefender 7.2 05.09.2006 Backdoor.VirtobVT.A
    CAT-QuickHeal 8.00 05.09.2006 W95.TenRobot.B
    ClamAV devel-20060426 05.09.2006 no virus found
    DrWeb 4.33 05.09.2006 BACKDOOR.Trojan
    eTrust-InoculateIT 23.72.3 05.09.2006 no virus found
    eTrust-Vet 12.4.2201 05.09.2006 no virus found
    Ewido 3.5 05.09.2006 no virus found
    Fortinet 2.76.0.0 05.09.2006 suspicious
    F-Prot 3.16c 05.09.2006 no virus found
    Ikarus 0.2.65.0 05.09.2006 no virus found
    Kaspersky 4.0.2.24 05.09.2006 no virus found
    McAfee 4758 05.09.2006 New Win32
    Microsoft 1.1372 05.09.2006 no virus found
    NOD32v2 1.1527 05.09.2006 probably unknown NewHeur_PE virus
    Norman 5.90.17 05.09.2006 no virus found
    Panda 9.0.0.4 05.09.2006 Suspicious file
    Sophos 4.05.0 05.09.2006 no virus found
    Symantec 8.0 05.09.2006 no virus found
    TheHacker 5.9.7.140 05.08.2006 no virus found
    UNA 1.83 05.06.2006 Win32.virus
    VBA32 3.11.0 05.08.2006 no virus found

    Aditional Information
    File size: 48436 bytes
    MD5: 42a18043fd9c04254a259124379740cc

    cmd_vt100.exe is infected windows cmd.exe file.
    vt100.exe is proper virus-rootkit .

    Here is the log from my program :
    ( this tool was created to detect and delete rootkits, hiden services and
    processes, hidden files and hidden registry keys. Another log samples:
    http://www.gmer.net/rootkits.php ).


    GMER 1.0.10.9819 - http://www.gmer.net
    Rootkit 2006-05-04 18:30:25
    Windows 5.1.2600 Dodatek Service Pack 2


    ---- Processes - GMER 1.0.10 ----

    Process C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) 3004 <-- ROOTKIT
    !!!
    Library C:\WINDOWS\system32\VT100.EXE (*** hidden *** ) @
    C:\WINDOWS\system32\VT100.EXE [3004] 0x00400000 <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.10 ----

    Reg
    \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@VT100
    Emulator C:\WINDOWS\system32\VT100.EXE

    ---- Files - GMER 1.0.10 ----

    File C:\WINDOWS\system32\VT100.EXE

    ---- EOF - GMER 1.0.10 ----



    As you can see, virus-rootkit hides its process, file, and registry key.
    After start, vt100.exe infects almost all files on all possible disks.
    Virus also send some data over network to the same ip address .
    Here is another report written in polish:

    http://www.gmer.net/vt100.exe.php

    Regards
    Gmer, May 10, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil B

    Virus, Virus, Virus.....

    Phil B, Sep 22, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    521
    DaveW
    Sep 22, 2003
  2. Annette Kurten

    New stealth rootkit

    Annette Kurten, Apr 9, 2005, in forum: Computer Support
    Replies:
    22
    Views:
    2,414
    trout
    Apr 9, 2005
  3. Woger
    Replies:
    1
    Views:
    3,134
    Peter Lowrie
    Apr 26, 2009
  4. impossible
    Replies:
    7
    Views:
    373
    impossible
    Aug 3, 2009
  5. Lawrence D'Oliveiro

    Re: 60% of new laptops have 'BIOS-level rootkit'

    Lawrence D'Oliveiro, Aug 6, 2009, in forum: NZ Computing
    Replies:
    0
    Views:
    372
    Lawrence D'Oliveiro
    Aug 6, 2009
Loading...

Share This Page