Guy here reckons there's very little on the net about the
rootkits that are going round at the moment, and suggested I
post what we came up with here. Of course it only covers the
couple we've worked on, but may be useful for others.
So:


One of several worms, usually a variant of Sdbot, drops a copy
of itself in the Windows folder and a rootkit in file RDRIV.SYS
to the system folder; filenames we’ve seen for the worm are
WKSSVC.EXE and NTSUBSYS.EXE. Note that there may be valid files
with these names in Windows\system32.

The worm itself is not usually detected as a virus: only the
RDRIV file is detected. Sometimes the only obvious symptom is
that your antivirus keeps switching itself off.

Whenever the RDRIV file is deleted it is recreated by the worm.
To discover what recreates RDRIV, first boot into Safe Mode
(RDRIV is used as a service in normal mode). Then open
RDRIV.SYS in Notepad, edit the content in some way so that it’s
no longer a valid .sys file, and after saving it, make it read
only. After re-booting to normal Windows mode, the worm will
see that the RDRIV service is not running and try to rewrite
the file, but will be unable to access it. In the event
application viewer you will see a program is attempting to
create a service but fails with the message “invalid DLL or
system file”. The freeware program Process Explorer from
SysInternals.com can be used find the executable doing this and
to delete it: the process loads every 3 seconds and you
doubleclick on it when it appears and can delete the file. You
MUST ensure that “View Hidden System Files” is ticked in the
explorer options. You could then delete RDRIV.SYS without it
reappearing, but it may be wise to leave the dummy version you
created earlier.

Next you need to sort out the registry entries that the worm
has created or modified:-

Note: %System% is the Windows system folder, which is usually
C:\WINNT\System32 on Windows NT and 2000, or C:\Windows
\System32 on Windows XP.

Remove from:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion
\Run
The entry:
Messenger ="%System%\ntsubsys.exe "
(only if you have the version using ntsubsys, and it may have
been removed by a standard virus scan)
If you had the version using wkssvc.exe, search the registry
for that and remove any entry found. DO NOT remove entries for
wkssvc.dll.

Remove from:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es
\lanmanserver\parameters
and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es
\lanmanworkstation\parameters
The entries:
AutoShareWks = "00000000"
AutoShareServer = "00000000"
You might want to check all ControlSets, not just the
CurrentControlSet.

To undo the disabling of Windows Update, antivirus and firewall
applications:
In: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Change: UpdatesDisableNotify from: "00000001" to: “00000000”
Change: AntiVirusDisableNotify from: "00000001" to: “00000000”
Change: FirewallDisableNotify from: "00000001" to: “00000000”
Change: AntiVirusOverride from: "00000001" to: “00000000”
Chnage: FirewallOverride from: "00000001" to: “00000000”
From: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
\WindowsFirewall\DomainProfile
Remove: EnableFirewall = "00000000"
From: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
\WindowsFirewall\StandardProfile
Remove: EnableFirewall = "00000000"
From: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Win dows
\WindowsUpdate
Remove: DoNotAllowXPSP2 = "00000001"
From: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\WindowsUpdate\Auto Update
Remove: AUOptions = "00000001"

In addition, modifiy the registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
From: EnableDCOM = "N"
To: EnableDCOM = "Y"

Since the rootkit gives a remote user full control of the
machine, all stored passwords must be considered to have been
compromised, and you should check the account status of any
ecommerce you’ve used the machine for.
--
"He just said it had an 'x'."
"It isn't their necks I mind," said Piglet earnestly.
"It's their teeth."

"Pablo Guildenstern" <daviddotbudd@manchester.ac.uk> wrote in message
news:MPG.1d20e2074c20784c98a0bc@localnews.mcc.ac.u k...

<snip>

One of several worms, usually a variant of Sdbot, drops a copy
of itself in the Windows folder and a rootkit in file RDRIV.SYS
to the system folder; filenames we've seen for the worm are
WKSSVC.EXE and NTSUBSYS.EXE. Note that there may be valid files
with these names in Windows\system32.

The worm itself is not usually detected as a virus: only the
RDRIV file is detected. Sometimes the only obvious symptom is
that your antivirus keeps switching itself off.

<snip>


******************** REPLY SEPARATOR ********************
(only needed due to poster using quoted-printable format)

While the anti-virus software may not detect the rootkit, have you
tested rootkit detectors to see if THEY find the rootkit? It would be
interesting to know if the so-called rootkit detector actually work in
this case.

SysInternals' RootKit Revealer
(http://www.sysinternals.com/Utilitie...tRevealer.html)

Rootkit.com's VICE
(http://www.rootkit.com/vault/fuzen_op/vice.zip)

F-Secure's Blacklight
(http://www.f-secure.com/blacklight/)

Also, if the rootkit behaves like a worm, have you checked if TDS-3 and
TrojanHunter find it?

In article <wY6dnVGvzbXQiCrfRVn-qw@comcast.com>,
Vangu@rd.invalid says...
Did I? Sorry - it'll be down to the copy&paste
No, the weird thing was that the rootkit file, rdriv.sys, WAS
detected (by various scanners), but the bit that re-created it
every time we killed it wasn't. If we did it all again this
week, maybe it would be: the av vendors may have been playing
catch-up.

Yes, it spotted it. But, again, not the "re-instantiator".
Didn't try them.
Most of the work was done by my colleague. I mostly just made
"helpful" suggestions - like trying procexp. He hit on the
"make rdriv read-only so we can se what's trying to re-write
it" trick. I suspect it's a trick we'll be needing again.
--
"He just said it had an 'x'."
"It isn't their necks I mind," said Piglet earnestly.
"It's their teeth."

On Mon, 20 Jun 2005 15:24:56 +0100, Pablo Guildenstern

<ggod stuff snipped>


That I would NOT do, unless I really needed those hidden admin shares.

In fact, I'd do exactly the opposite; make sure those settings are
back in place, so that malware can't walk straight into the "hidden"
admin shares c$, d$, e$... that break best-practice of never
write-sharing integration points, such as StartUp folders.

Quite crafty to drop those settings in place, as many av may remove
the settings as part of the malware cleanup - opening the door again.

Agreed, though not for the reason you had in mind ;-)

What do those do?

Yup. I usually take this opportunity to relocate data as well, as
often these are "duh" PCs that still have data paths like
C:\Ghastly\Long\Deeply\Nested\Path\Recover\Each\Of \These\Dirs
and will tend to mix mountains of MP3, pics, movies and incoming
malware (My Received Files) with your actual data.


ashtrays in the lounge, when I don't even have a car?"

In article <1ssfb1pbhqhkec3755du9c125j83jaepeb@4ax.com>,
cquirkenews@nospam.mvps.org says...
Mmmmm, we nicked that bit from an AV vendor's website. Didn't
even enquire too closely what those keys do, at the various
possible values. I shall look into it this afternoon.

--
"He just said it had an 'x'."
"It isn't their necks I mind," said Piglet earnestly.
"It's their teeth."