Rootkit using NtCreatekey then NTEnumeratekey, etc
Posted: Tue Feb 12, 2008 8:51 am
Hi, newbie here, be gentle.:~
I suspected I have a rootkit installed and found icesword by http://www.antirootkit.com/software/IceSword.htm.
When I ran it I see in the system service descriptor window the Kmodule load paths are all from /Windows/System32, except one item.
The item renames itself from boot to boot, and today it is calling itself spgl.sys. Strange the module has no path. Yesterday it was calling itself spid.sys. Today it's called spgl.sys.
Each version hooks into NtCreate, then NtEnumaerate, then NtEnumerateValueKey, then NtOpenKey, NtQueryKey, NtQueryValueKey,
NtSetValueKey.
There appears to be a slowdown on the system, and sometimes large transfers of data that do not correspond to user requests.
Any ideas on how to flush out the culprets.
I also found a large number of ADS stream files on the system, mainly attached to images, and of varying file lengths. The content is mostly binary, so no way to easily determine what it is.
Used Adsspy by merijn to get them off. Nice product that. must send him a buck.
Gotto give up and go sleep now.
Will replace mbr tomorrow and soldier on.
Any ideas anyone?
I suspected I have a rootkit installed and found icesword by http://www.antirootkit.com/software/IceSword.htm.
When I ran it I see in the system service descriptor window the Kmodule load paths are all from /Windows/System32, except one item.
The item renames itself from boot to boot, and today it is calling itself spgl.sys. Strange the module has no path. Yesterday it was calling itself spid.sys. Today it's called spgl.sys.
Each version hooks into NtCreate, then NtEnumaerate, then NtEnumerateValueKey, then NtOpenKey, NtQueryKey, NtQueryValueKey,
NtSetValueKey.
There appears to be a slowdown on the system, and sometimes large transfers of data that do not correspond to user requests.
Any ideas on how to flush out the culprets.
I also found a large number of ADS stream files on the system, mainly attached to images, and of varying file lengths. The content is mostly binary, so no way to easily determine what it is.
Used Adsspy by merijn to get them off. Nice product that. must send him a buck.
Gotto give up and go sleep now.
Will replace mbr tomorrow and soldier on.
Any ideas anyone?