Rootkit List

download Rootkit List

of 21

Transcript of Rootkit List

  • 7/31/2019 Rootkit List

    1/21

    Name Filename Status Description

    win32k.sys win32k.sys:2 X

    The ZeroAccess rootkit. This rootkitterminates any program that scans its

    processes or files and then changes thepermissions on them so you can no longer

    run them. This infection uses Alternate Data

    Streams and rootkit technology to hide itselfand the service entry.

    win32k.sys win32k.sys:1 X

    The ZeroAccess rootkit. This rootkitterminates any program that scans itsprocesses or files and then changes the

    permissions on them so you can no longerrun them. This infection uses Alternate DataStreams and rootkit technology to hide itself

    and the service entry.

    Service_SKYNET

    SKYNET.sys

    X SkyNet Rootkit.

    Service_SKYNET

    SKYNET.dat

    X SkyNet Rootkit.

    cmi4432 cmi4432.sys X Added by the RTKT_DUQU.A rootkit.

    JmiNET3 jminet7.sys X Added by the RTKT_DUQU.A rootkit.

    PDCOMP _amdevntas.sys X

    Added by the Trojan-Spy.Win32.Batton.rkspyware and information stealer. Trojan-Spy

    spies upon user's activity and stealsconfidential user information.

    mntsys.exe X Added by the Troj/Rootkit-IM rootkit.

    Mseu Mseu.sys X

    Added by the W32.Zimuse.B worm.

    W32.Zimuse.B is a worm that deletes filesand overwrites the master boot record of the

    compromised computer.

    Mstart Mstart.sys X

    Added by the W32.Zimuse.B worm.W32.Zimuse.B is a worm that deletes files

    and overwrites the master boot record of the

    compromised computer.

    Self extract service Mseus.exe X

    Added by the W32.Zimuse.B worm.

    W32.Zimuse.B is a worm that deletes filesand overwrites the master boot record of the

    compromised computer.

    system performance

    logging for TrueTimeDriver Edition

    chkzero.ex XAdded by the Troj/Hackda-A Trojan &

    Rootkit.

    Kernel Mode SNDmsvtcher

    msvtch.sys X A variant of the Haxdoor rootkit.

    NGate service tage32.sys X A variant of the Haxdoor rootkit.

    CPU FUN Controller kryo2.sys XAdded by a variant of the Goldun.Fam

    Trojan.

    glaide32 glaide32.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    http://www.bleepingcomputer.com/startups/win32k.sys-26944.htmlhttp://www.bleepingcomputer.com/startups/win32k.sys_2-26944.htmlhttp://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/startups/win32k.sys-26943.htmlhttp://www.bleepingcomputer.com/startups/win32k.sys_1-26943.htmlhttp://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26942.htmlhttp://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26942.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.sys-26942.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.sys-26942.htmlhttp://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26941.htmlhttp://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26941.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.dat-26941.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.dat-26941.htmlhttp://www.bleepingcomputer.com/startups/cmi4432-26933.htmlhttp://www.bleepingcomputer.com/startups/cmi4432.sys-26933.htmlhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=RTKT_DUQU.Ahttp://www.bleepingcomputer.com/startups/JmiNET3-26932.htmlhttp://www.bleepingcomputer.com/startups/jminet7.sys-26932.htmlhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=RTKT_DUQU.Ahttp://www.bleepingcomputer.com/startups/PDCOMP-26834.htmlhttp://www.bleepingcomputer.com/startups/_amdevntas.sys-26834.htmlhttp://www.securelist.com/en/descriptions/24358424/Trojan-Spy.Win32.Batton.rkhttp://www.bleepingcomputer.com/startups/not_used-25750.htmlhttp://www.bleepingcomputer.com/startups/mntsys.exe-25750.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojrootkitim.htmlhttp://www.bleepingcomputer.com/startups/Mseu-25449.htmlhttp://www.bleepingcomputer.com/startups/Mseu.sys-25449.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012515-2313-99&tabid=2http://www.bleepingcomputer.com/startups/Mstart-25448.htmlhttp://www.bleepingcomputer.com/startups/Mstart.sys-25448.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012515-2313-99&tabid=2http://www.bleepingcomputer.com/startups/Self_extract_service-25447.htmlhttp://www.bleepingcomputer.com/startups/Mseus.exe-25447.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012515-2313-99&tabid=2http://www.bleepingcomputer.com/startups/system_performance_logging_for_TrueTime_Driver_Edition-24860.htmlhttp://www.bleepingcomputer.com/startups/system_performance_logging_for_TrueTime_Driver_Edition-24860.htmlhttp://www.bleepingcomputer.com/startups/system_performance_logging_for_TrueTime_Driver_Edition-24860.htmlhttp://www.bleepingcomputer.com/startups/chkzero.ex-24860.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojhackdaa.htmlhttp://www.bleepingcomputer.com/startups/Kernel_Mode_SND_msvtcher-24297.htmlhttp://www.bleepingcomputer.com/startups/Kernel_Mode_SND_msvtcher-24297.htmlhttp://www.bleepingcomputer.com/startups/msvtch.sys-24297.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/NGate_service-24269.htmlhttp://www.bleepingcomputer.com/startups/tage32.sys-24269.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/CPU_FUN_Controller-24244.htmlhttp://www.bleepingcomputer.com/startups/kryo2.sys-24244.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/glaide32-24147.htmlhttp://www.bleepingcomputer.com/startups/glaide32.sys-24147.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/win32k.sys-26944.htmlhttp://www.bleepingcomputer.com/startups/win32k.sys_2-26944.htmlhttp://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/startups/win32k.sys-26943.htmlhttp://www.bleepingcomputer.com/startups/win32k.sys_1-26943.htmlhttp://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26942.htmlhttp://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26942.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.sys-26942.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.sys-26942.htmlhttp://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26941.htmlhttp://www.bleepingcomputer.com/startups/Service_SKYNETrandom_chars-26941.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.dat-26941.htmlhttp://www.bleepingcomputer.com/startups/SKYNETrandom_characters.dat-26941.htmlhttp://www.bleepingcomputer.com/startups/cmi4432-26933.htmlhttp://www.bleepingcomputer.com/startups/cmi4432.sys-26933.htmlhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=RTKT_DUQU.Ahttp://www.bleepingcomputer.com/startups/JmiNET3-26932.htmlhttp://www.bleepingcomputer.com/startups/jminet7.sys-26932.htmlhttp://about-threats.trendmicro.com/Malware.aspx?language=us&name=RTKT_DUQU.Ahttp://www.bleepingcomputer.com/startups/PDCOMP-26834.htmlhttp://www.bleepingcomputer.com/startups/_amdevntas.sys-26834.htmlhttp://www.securelist.com/en/descriptions/24358424/Trojan-Spy.Win32.Batton.rkhttp://www.bleepingcomputer.com/startups/not_used-25750.htmlhttp://www.bleepingcomputer.com/startups/mntsys.exe-25750.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojrootkitim.htmlhttp://www.bleepingcomputer.com/startups/Mseu-25449.htmlhttp://www.bleepingcomputer.com/startups/Mseu.sys-25449.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012515-2313-99&tabid=2http://www.bleepingcomputer.com/startups/Mstart-25448.htmlhttp://www.bleepingcomputer.com/startups/Mstart.sys-25448.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012515-2313-99&tabid=2http://www.bleepingcomputer.com/startups/Self_extract_service-25447.htmlhttp://www.bleepingcomputer.com/startups/Mseus.exe-25447.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012515-2313-99&tabid=2http://www.bleepingcomputer.com/startups/system_performance_logging_for_TrueTime_Driver_Edition-24860.htmlhttp://www.bleepingcomputer.com/startups/system_performance_logging_for_TrueTime_Driver_Edition-24860.htmlhttp://www.bleepingcomputer.com/startups/system_performance_logging_for_TrueTime_Driver_Edition-24860.htmlhttp://www.bleepingcomputer.com/startups/chkzero.ex-24860.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojhackdaa.htmlhttp://www.bleepingcomputer.com/startups/Kernel_Mode_SND_msvtcher-24297.htmlhttp://www.bleepingcomputer.com/startups/Kernel_Mode_SND_msvtcher-24297.htmlhttp://www.bleepingcomputer.com/startups/msvtch.sys-24297.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/NGate_service-24269.htmlhttp://www.bleepingcomputer.com/startups/tage32.sys-24269.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/CPU_FUN_Controller-24244.htmlhttp://www.bleepingcomputer.com/startups/kryo2.sys-24244.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/glaide32-24147.htmlhttp://www.bleepingcomputer.com/startups/glaide32.sys-24147.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99

  • 7/31/2019 Rootkit List

    2/21

    vbagz vbagz.sys X Added by the TROJ_ROOTKIT.BA Trojan.

    svitch svitch.sys X A variant of the Haxdoor rootkit.

    DirectSound KDriver asplg.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    tdssserv tdssserv.sys X Identified as a variant of theClbdriver/Troj/NtRootK-DR malware.

    Virtual CD-ROM Driver dwave.sys XIdentified as a variant of the Trojan-

    Spy.Win32.Goldun.api rootkit.

    msdefender.sys msdefender.sys XIdentified as a variant of the Win32:Rootkit-

    gen rootkit.

    XD FileSystemDriver fsxxd.sys X A variant of the Haxdoor rootkit.

    msliksurserv msliksurserv.sys X Added by the Troj/Agent-HFC Trojan.

    clbdriver clbdriver.sys XIdentified as a variant of the

    Rootkit.Win32.Clbd.cx rootkit.

    pqasghjd pqasghjd.sys X Added by the Backdoor.Rustock backdoorrootkit.

    Uninterruptible Power

    Supply CRTupscr.sys X

    Identified as a variant of the

    Trojan.Rootkit.Gen rootkit.

    narqwe narqwe.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    jwzpqng jwzpqng.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    upsctl upsctl.dll XIdentified as a variant of the

    Trojan.Rootkit.Gen rootkit.

    bzsqlpa bzsqlpa.sys X

    Added by the Backdoor.Rustock backdoor

    rootkit.

    hcnwg4u hcnwg4u.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    ksnhtr ksnhtr.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    sywtdxaz sywtdxaz.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    gsbgqpwwfw gsbgqpwwfw.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    WLAN route service rotr.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.ahf rootkit.

    nzqtegh nzqtegh.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    iuzqpaf iuzqpaf.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    yzbgqap yzbgqap.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    http://www.bleepingcomputer.com/startups/vbagz-24098.htmlhttp://www.bleepingcomputer.com/startups/vbagz.sys-24098.htmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ROOTKIT.BA&VSect=Thttp://www.bleepingcomputer.com/startups/svitch-24038.htmlhttp://www.bleepingcomputer.com/startups/svitch.sys-24038.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/DirectSound_KDriver-23959.htmlhttp://www.bleepingcomputer.com/startups/asplg.sys-23959.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/tdssserv-23624.htmlhttp://www.bleepingcomputer.com/startups/tdssserv.sys-23624.htmlhttp://www.bleepingcomputer.com/startups/Virtual_CD_ROM_Driver-23582.htmlhttp://www.bleepingcomputer.com/startups/dwave.sys-23582.htmlhttp://www.bleepingcomputer.com/startups/msdefender.sys-23581.htmlhttp://www.bleepingcomputer.com/startups/msdefender.sys-23581.htmlhttp://www.bleepingcomputer.com/startups/XD_FileSystemDriver-23478.htmlhttp://www.bleepingcomputer.com/startups/fsxxd.sys-23478.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/msliksurserv-23475.htmlhttp://www.bleepingcomputer.com/startups/msliksurserv.sys-23475.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthfc.htmlhttp://www.bleepingcomputer.com/startups/clbdriver-23372.htmlhttp://www.bleepingcomputer.com/startups/clbdriver.sys-23372.htmlhttp://www.bleepingcomputer.com/startups/pqasghjd-23300.htmlhttp://www.bleepingcomputer.com/startups/pqasghjd.sys-23300.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/Uninterruptible_Power_Supply_CRT-23279.htmlhttp://www.bleepingcomputer.com/startups/Uninterruptible_Power_Supply_CRT-23279.htmlhttp://www.bleepingcomputer.com/startups/upscr.sys-23279.htmlhttp://www.bleepingcomputer.com/startups/narqwe-23278.htmlhttp://www.bleepingcomputer.com/startups/narqwe.sys-23278.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/jwzpqng-23277.htmlhttp://www.bleepingcomputer.com/startups/jwzpqng.sys-23277.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/upsctl-23222.htmlhttp://www.bleepingcomputer.com/startups/upsctl.dll-23222.htmlhttp://www.bleepingcomputer.com/startups/bzsqlpa-23154.htmlhttp://www.bleepingcomputer.com/startups/bzsqlpa.sys-23154.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hcnwg4u-23144.htmlhttp://www.bleepingcomputer.com/startups/hcnwg4u.sys-23144.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ksnhtr-23066.htmlhttp://www.bleepingcomputer.com/startups/ksnhtr.sys-23066.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/sywtdxaz-23065.htmlhttp://www.bleepingcomputer.com/startups/sywtdxaz.sys-23065.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/gsbgqpwwfw-23017.htmlhttp://www.bleepingcomputer.com/startups/gsbgqpwwfw.sys-23017.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/WLAN_route_service-22990.htmlhttp://www.bleepingcomputer.com/startups/rotr.sys-22990.htmlhttp://www.bleepingcomputer.com/startups/nzqtegh-22989.htmlhttp://www.bleepingcomputer.com/startups/nzqtegh.sys-22989.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/iuzqpaf-22988.htmlhttp://www.bleepingcomputer.com/startups/iuzqpaf.sys-22988.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/yzbgqap-22965.htmlhttp://www.bleepingcomputer.com/startups/yzbgqap.sys-22965.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/vbagz-24098.htmlhttp://www.bleepingcomputer.com/startups/vbagz.sys-24098.htmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ROOTKIT.BA&VSect=Thttp://www.bleepingcomputer.com/startups/svitch-24038.htmlhttp://www.bleepingcomputer.com/startups/svitch.sys-24038.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/DirectSound_KDriver-23959.htmlhttp://www.bleepingcomputer.com/startups/asplg.sys-23959.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/tdssserv-23624.htmlhttp://www.bleepingcomputer.com/startups/tdssserv.sys-23624.htmlhttp://www.bleepingcomputer.com/startups/Virtual_CD_ROM_Driver-23582.htmlhttp://www.bleepingcomputer.com/startups/dwave.sys-23582.htmlhttp://www.bleepingcomputer.com/startups/msdefender.sys-23581.htmlhttp://www.bleepingcomputer.com/startups/msdefender.sys-23581.htmlhttp://www.bleepingcomputer.com/startups/XD_FileSystemDriver-23478.htmlhttp://www.bleepingcomputer.com/startups/fsxxd.sys-23478.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/msliksurserv-23475.htmlhttp://www.bleepingcomputer.com/startups/msliksurserv.sys-23475.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthfc.htmlhttp://www.bleepingcomputer.com/startups/clbdriver-23372.htmlhttp://www.bleepingcomputer.com/startups/clbdriver.sys-23372.htmlhttp://www.bleepingcomputer.com/startups/pqasghjd-23300.htmlhttp://www.bleepingcomputer.com/startups/pqasghjd.sys-23300.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/Uninterruptible_Power_Supply_CRT-23279.htmlhttp://www.bleepingcomputer.com/startups/Uninterruptible_Power_Supply_CRT-23279.htmlhttp://www.bleepingcomputer.com/startups/upscr.sys-23279.htmlhttp://www.bleepingcomputer.com/startups/narqwe-23278.htmlhttp://www.bleepingcomputer.com/startups/narqwe.sys-23278.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/jwzpqng-23277.htmlhttp://www.bleepingcomputer.com/startups/jwzpqng.sys-23277.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/upsctl-23222.htmlhttp://www.bleepingcomputer.com/startups/upsctl.dll-23222.htmlhttp://www.bleepingcomputer.com/startups/bzsqlpa-23154.htmlhttp://www.bleepingcomputer.com/startups/bzsqlpa.sys-23154.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hcnwg4u-23144.htmlhttp://www.bleepingcomputer.com/startups/hcnwg4u.sys-23144.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ksnhtr-23066.htmlhttp://www.bleepingcomputer.com/startups/ksnhtr.sys-23066.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/sywtdxaz-23065.htmlhttp://www.bleepingcomputer.com/startups/sywtdxaz.sys-23065.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/gsbgqpwwfw-23017.htmlhttp://www.bleepingcomputer.com/startups/gsbgqpwwfw.sys-23017.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/WLAN_route_service-22990.htmlhttp://www.bleepingcomputer.com/startups/rotr.sys-22990.htmlhttp://www.bleepingcomputer.com/startups/nzqtegh-22989.htmlhttp://www.bleepingcomputer.com/startups/nzqtegh.sys-22989.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/iuzqpaf-22988.htmlhttp://www.bleepingcomputer.com/startups/iuzqpaf.sys-22988.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/yzbgqap-22965.htmlhttp://www.bleepingcomputer.com/startups/yzbgqap.sys-22965.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99

  • 7/31/2019 Rootkit List

    3/21

    wzghui wzghui.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    pjsapdg pjsapdg.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    zwqcplsp zwqcplsp.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    tcpsr tcpsr.sys XIdentified as a variant of the

    Trojan.Rootkit.Agent.Ack malware.

    bqzpas bqzpas.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    kzq5re kzq5re.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    nexkaqf nexkaqf.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    hqiopa hqiopa.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    uazpiq uazpiq.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    zzz zzz.sys X Added by the Hacktool.Rootkit rootkit.

    QANDR qandr.sys XAdded by a variant of the

    Rootkit.Win32.Agent.ea rootkit Trojan.

    Kernel CryptoModule krnllds.sys XAdded by a variant of the TR/Rootkit.Gen

    rootkit Trojan.

    fkjdfje fkjdfje.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    ydhqzop ydhqzop.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    zsqalpdt zsqalpdt.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    klite klite.sys X A variant of the Haxdoor rootkit.

    grande48 grande48.sys X Added by the Troj/RKAgen-E rootkit Trojan.

    DTM Protector dprot.sys X A variant of the Haxdoor rootkit.

    widuxngq widuxngq.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    hemimorphite vualf.dll X

    Zlob Trojan that infects you with theVirusHeat rogue anti-spyware program.

    Please use the guide below to remove this

    infection.

    zeqbqwp zeqbqwp.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    zalpqbj zalpqbj.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    serazavr serazavr.log X Added by the Backdoor.Rustock backdoor

    http://www.bleepingcomputer.com/startups/wzghui-22964.htmlhttp://www.bleepingcomputer.com/startups/wzghui.sys-22964.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/pjsapdg-22938.htmlhttp://www.bleepingcomputer.com/startups/pjsapdg.sys-22938.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zwqcplsp-22937.htmlhttp://www.bleepingcomputer.com/startups/zwqcplsp.sys-22937.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/tcpsr-22922.htmlhttp://www.bleepingcomputer.com/startups/tcpsr.sys-22922.htmlhttp://www.bleepingcomputer.com/startups/bqzpas-22921.htmlhttp://www.bleepingcomputer.com/startups/bqzpas.sys-22921.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/kzq5re-22878.htmlhttp://www.bleepingcomputer.com/startups/kzq5re.sys-22878.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/nexkaqf-22858.htmlhttp://www.bleepingcomputer.com/startups/nexkaqf.sys-22858.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hqiopa-22853.htmlhttp://www.bleepingcomputer.com/startups/hqiopa.sys-22853.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/uazpiq-22844.htmlhttp://www.bleepingcomputer.com/startups/uazpiq.sys-22844.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zzz-22829.htmlhttp://www.bleepingcomputer.com/startups/zzz.sys-22829.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99http://www.bleepingcomputer.com/startups/QANDR-22812.htmlhttp://www.bleepingcomputer.com/startups/qandr.sys-22812.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.Win32.Agent.ea&threatid=127901http://www.bleepingcomputer.com/startups/Kernel_CryptoModule-22811.htmlhttp://www.bleepingcomputer.com/startups/krnllds.sys-22811.htmlhttp://www.avira.com/en/threats/section/fulldetails/id_vir/2798/tr_rootkit.gen.htmlhttp://www.bleepingcomputer.com/startups/fkjdfje-22809.htmlhttp://www.bleepingcomputer.com/startups/fkjdfje.sys-22809.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ydhqzop-22808.htmlhttp://www.bleepingcomputer.com/startups/ydhqzop.sys-22808.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zsqalpdt-22807.htmlhttp://www.bleepingcomputer.com/startups/zsqalpdt.sys-22807.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/klite-22799.htmlhttp://www.bleepingcomputer.com/startups/klite.sys-22799.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/grande48-22796.htmlhttp://www.bleepingcomputer.com/startups/grande48.sys-22796.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojrkagene.htmlhttp://www.bleepingcomputer.com/startups/DTM_Protector-22791.htmlhttp://www.bleepingcomputer.com/startups/dprot.sys-22791.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/widuxngq-22789.htmlhttp://www.bleepingcomputer.com/startups/widuxngq.sys-22789.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hemimorphite-22748.htmlhttp://www.bleepingcomputer.com/startups/vualf.dll-22748.htmlhttp://www.bleepingcomputer.com/forums/topic130080.htmlhttp://www.bleepingcomputer.com/startups/zeqbqwp-22723.htmlhttp://www.bleepingcomputer.com/startups/zeqbqwp.sys-22723.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zalpqbj-22662.htmlhttp://www.bleepingcomputer.com/startups/zalpqbj.sys-22662.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/serazavr-22661.htmlhttp://www.bleepingcomputer.com/startups/serazavr.log-22661.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/wzghui-22964.htmlhttp://www.bleepingcomputer.com/startups/wzghui.sys-22964.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/pjsapdg-22938.htmlhttp://www.bleepingcomputer.com/startups/pjsapdg.sys-22938.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zwqcplsp-22937.htmlhttp://www.bleepingcomputer.com/startups/zwqcplsp.sys-22937.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/tcpsr-22922.htmlhttp://www.bleepingcomputer.com/startups/tcpsr.sys-22922.htmlhttp://www.bleepingcomputer.com/startups/bqzpas-22921.htmlhttp://www.bleepingcomputer.com/startups/bqzpas.sys-22921.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/kzq5re-22878.htmlhttp://www.bleepingcomputer.com/startups/kzq5re.sys-22878.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/nexkaqf-22858.htmlhttp://www.bleepingcomputer.com/startups/nexkaqf.sys-22858.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hqiopa-22853.htmlhttp://www.bleepingcomputer.com/startups/hqiopa.sys-22853.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/uazpiq-22844.htmlhttp://www.bleepingcomputer.com/startups/uazpiq.sys-22844.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zzz-22829.htmlhttp://www.bleepingcomputer.com/startups/zzz.sys-22829.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2002-011710-0057-99http://www.bleepingcomputer.com/startups/QANDR-22812.htmlhttp://www.bleepingcomputer.com/startups/qandr.sys-22812.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.Win32.Agent.ea&threatid=127901http://www.bleepingcomputer.com/startups/Kernel_CryptoModule-22811.htmlhttp://www.bleepingcomputer.com/startups/krnllds.sys-22811.htmlhttp://www.avira.com/en/threats/section/fulldetails/id_vir/2798/tr_rootkit.gen.htmlhttp://www.bleepingcomputer.com/startups/fkjdfje-22809.htmlhttp://www.bleepingcomputer.com/startups/fkjdfje.sys-22809.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ydhqzop-22808.htmlhttp://www.bleepingcomputer.com/startups/ydhqzop.sys-22808.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zsqalpdt-22807.htmlhttp://www.bleepingcomputer.com/startups/zsqalpdt.sys-22807.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/klite-22799.htmlhttp://www.bleepingcomputer.com/startups/klite.sys-22799.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/grande48-22796.htmlhttp://www.bleepingcomputer.com/startups/grande48.sys-22796.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojrkagene.htmlhttp://www.bleepingcomputer.com/startups/DTM_Protector-22791.htmlhttp://www.bleepingcomputer.com/startups/dprot.sys-22791.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/widuxngq-22789.htmlhttp://www.bleepingcomputer.com/startups/widuxngq.sys-22789.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hemimorphite-22748.htmlhttp://www.bleepingcomputer.com/startups/vualf.dll-22748.htmlhttp://www.bleepingcomputer.com/forums/topic130080.htmlhttp://www.bleepingcomputer.com/startups/zeqbqwp-22723.htmlhttp://www.bleepingcomputer.com/startups/zeqbqwp.sys-22723.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zalpqbj-22662.htmlhttp://www.bleepingcomputer.com/startups/zalpqbj.sys-22662.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/serazavr-22661.htmlhttp://www.bleepingcomputer.com/startups/serazavr.log-22661.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99

  • 7/31/2019 Rootkit List

    4/21

  • 7/31/2019 Rootkit List

    5/21

    ieqazhew ieqazhew.dll XAdded by the Backdoor.Rustock backdoor

    rootkit.

    XPROTECTOR Driver xprot.sys X A variant of the Haxdoor rootkit.

    kasutio kasutio XAdded by the Backdoor.Rustock backdoor

    rootkit.

    pzqlp pzqlp.chm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    merqpo merqpo.chm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    zeqwur zeqwur.chm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    guntest guntest.chm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    aiqpbter aiqpbter.chm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    apcdli apcdli.sys X Added by the Mal/RootKit-A rootkit.

    rwtatpl rwtatpl.lid XAdded by the Backdoor.Rustock backdoor

    rootkit.

    rqksgpu rqksgpu.cur XAdded by the Backdoor.Rustock backdoor

    rootkit.

    mkwsqp mkwsqp.cur XAdded by the Backdoor.Rustock backdoor

    rootkit.

    lagednick lagednick.chm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    hqaply hqaply.chm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    cjwriiigqazft cjwriiigqazft.cat XAdded by the Backdoor.Rustock backdoor

    rootkit.

    accctsggw accctsggw.cat XAdded by the Backdoor.Rustock backdoor

    rootkit.

    3klagia 3klagia.dll XAdded by the Backdoor.Rustock backdoor

    rootkit.

    werasqlp werasqlp.cur XAdded by the Backdoor.Rustock backdoor

    rootkit.

    riode32 riode32.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.adm rootkit.

    yqzsypbgh yqzsypbgh.cat XAdded by the Backdoor.Rustock backdoor

    rootkit.

    uxgrafj uxgrafj.adm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    rYehhbqzx rYehhbqzx.adm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    yutsubk yutsubk.cat X Added by the Backdoor.Rustock backdoor

    http://www.bleepingcomputer.com/startups/ieqazhew-22443.htmlhttp://www.bleepingcomputer.com/startups/ieqazhew.dll-22443.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/XPROTECTOR_Driver-22420.htmlhttp://www.bleepingcomputer.com/startups/xprot.sys-22420.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/kasutio-22414.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/pzqlp-22413.htmlhttp://www.bleepingcomputer.com/startups/pzqlp.chm-22413.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/merqpo-22412.htmlhttp://www.bleepingcomputer.com/startups/merqpo.chm-22412.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zeqwur-22411.htmlhttp://www.bleepingcomputer.com/startups/zeqwur.chm-22411.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/guntest-22410.htmlhttp://www.bleepingcomputer.com/startups/guntest.chm-22410.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/aiqpbter-22409.htmlhttp://www.bleepingcomputer.com/startups/aiqpbter.chm-22409.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/apcdli-22369.htmlhttp://www.bleepingcomputer.com/startups/apcdli.sys-22369.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgsm.htmlhttp://www.bleepingcomputer.com/startups/rwtatpl-22362.htmlhttp://www.bleepingcomputer.com/startups/rwtatpl.lid-22362.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/rqksgpu-22361.htmlhttp://www.bleepingcomputer.com/startups/rqksgpu.cur-22361.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/mkwsqp-22360.htmlhttp://www.bleepingcomputer.com/startups/mkwsqp.cur-22360.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/lagednick-22359.htmlhttp://www.bleepingcomputer.com/startups/lagednick.chm-22359.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hqaply-22358.htmlhttp://www.bleepingcomputer.com/startups/hqaply.chm-22358.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/cjwriiigqazft-22357.htmlhttp://www.bleepingcomputer.com/startups/cjwriiigqazft.cat-22357.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/accctsggw-22356.htmlhttp://www.bleepingcomputer.com/startups/accctsggw.cat-22356.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/3klagia-22355.htmlhttp://www.bleepingcomputer.com/startups/3klagia.dll-22355.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/werasqlp-22325.htmlhttp://www.bleepingcomputer.com/startups/werasqlp.cur-22325.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/riode32-22324.htmlhttp://www.bleepingcomputer.com/startups/riode32.sys-22324.htmlhttp://www.bleepingcomputer.com/startups/yqzsypbgh-22323.htmlhttp://www.bleepingcomputer.com/startups/yqzsypbgh.cat-22323.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/uxgrafj-22322.htmlhttp://www.bleepingcomputer.com/startups/uxgrafj.adm-22322.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/rYehhbqzx-22321.htmlhttp://www.bleepingcomputer.com/startups/rYehhbqzx.adm-22321.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/yutsubk-22277.htmlhttp://www.bleepingcomputer.com/startups/yutsubk.cat-22277.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ieqazhew-22443.htmlhttp://www.bleepingcomputer.com/startups/ieqazhew.dll-22443.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/XPROTECTOR_Driver-22420.htmlhttp://www.bleepingcomputer.com/startups/xprot.sys-22420.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/kasutio-22414.htmlhttp://www.bleepingcomputer.com/startups/kasutio-22414.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/pzqlp-22413.htmlhttp://www.bleepingcomputer.com/startups/pzqlp.chm-22413.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/merqpo-22412.htmlhttp://www.bleepingcomputer.com/startups/merqpo.chm-22412.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/zeqwur-22411.htmlhttp://www.bleepingcomputer.com/startups/zeqwur.chm-22411.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/guntest-22410.htmlhttp://www.bleepingcomputer.com/startups/guntest.chm-22410.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/aiqpbter-22409.htmlhttp://www.bleepingcomputer.com/startups/aiqpbter.chm-22409.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/apcdli-22369.htmlhttp://www.bleepingcomputer.com/startups/apcdli.sys-22369.htmlhttp://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgsm.htmlhttp://www.bleepingcomputer.com/startups/rwtatpl-22362.htmlhttp://www.bleepingcomputer.com/startups/rwtatpl.lid-22362.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/rqksgpu-22361.htmlhttp://www.bleepingcomputer.com/startups/rqksgpu.cur-22361.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/mkwsqp-22360.htmlhttp://www.bleepingcomputer.com/startups/mkwsqp.cur-22360.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/lagednick-22359.htmlhttp://www.bleepingcomputer.com/startups/lagednick.chm-22359.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/hqaply-22358.htmlhttp://www.bleepingcomputer.com/startups/hqaply.chm-22358.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/cjwriiigqazft-22357.htmlhttp://www.bleepingcomputer.com/startups/cjwriiigqazft.cat-22357.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/accctsggw-22356.htmlhttp://www.bleepingcomputer.com/startups/accctsggw.cat-22356.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/3klagia-22355.htmlhttp://www.bleepingcomputer.com/startups/3klagia.dll-22355.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/werasqlp-22325.htmlhttp://www.bleepingcomputer.com/startups/werasqlp.cur-22325.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/riode32-22324.htmlhttp://www.bleepingcomputer.com/startups/riode32.sys-22324.htmlhttp://www.bleepingcomputer.com/startups/yqzsypbgh-22323.htmlhttp://www.bleepingcomputer.com/startups/yqzsypbgh.cat-22323.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/uxgrafj-22322.htmlhttp://www.bleepingcomputer.com/startups/uxgrafj.adm-22322.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/rYehhbqzx-22321.htmlhttp://www.bleepingcomputer.com/startups/rYehhbqzx.adm-22321.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/yutsubk-22277.htmlhttp://www.bleepingcomputer.com/startups/yutsubk.cat-22277.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99

  • 7/31/2019 Rootkit List

    6/21

    rootkit.

    kavsvc kavsvc.sys X Added by the Hacktool.Rootkit rootkit.

    nvcoi nvcoi.exe XIdentified as a variant of the

    Trojan.Downloader.Matcash malware.

    agehhtd agehhtd.cat X Added by the Backdoor.Rustock backdoorrootkit.

    qwetab qwetab.inf XAdded by the Backdoor.Rustock backdoor

    rootkit.

    infoxmid wseqnx.inf XAdded by the Backdoor.Rustock backdoor

    rootkit.

    ITCom virtual adapter itcom.sys XIdentified as a variant of the TR/Rootkit.Gen

    rootkit.

    FT StarForce Protector fprot.sys X A variant of the Haxdoor rootkit.

    hipsrv hipsrv.mm XAdded by the Backdoor.Rustock backdoor

    rootkit.

    userinfo32 userinfo32.ggt XAdded by the Backdoor.Rustock backdoor

    rootkit.

    alcop server alcop.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    efidriver efidriver.drv XAdded by the Backdoor.Rustock backdoor

    rootkit.

    pcximg pcximg.pif XAdded by the Backdoor.Rustock backdoor

    rootkit.

    tap64drv tap64drv XAdded by the Backdoor.Rustock backdoor

    rootkit.

    tunnet tunnet.ocx X Added by the Backdoor.Rustock backdoorrootkit.

    alcom alcom.sys X A variant of the Haxdoor rootkit.

    syswindrv syswindrv.bin XAdded by the Backdoor.Rustock backdoor

    rootkit.

    Advanced Power

    Managementpowermgmt.sys X

    Identified as a variant of the Rootkit.Agent.X

    rootkit.

    sysrestore32.exe sysrestore32.exe XIdentified as a variant of the TR/Rootkit.Ge

    rootkit.

    qtprot qtprot.sys XIdentified as a variant of theTrojan.Rootkit.GEY rootkit.

    hdport hdport.sys XIdentified as a variant of theTrojan.Rootkit.GEP rootkit.

    wer32 jkghje.dll XAdded by the Backdoor.Rustock backdoor

    rootkit.

    4fdw 4fdw.dll XAdded by the Backdoor.Rustock backdoor

    rootkit.

    http://www.bleepingcomputer.com/startups/kavsvc-22276.htmlhttp://www.bleepingcomputer.com/startups/kavsvc.sys-22276.htmlhttp://www.threatexpert.com/report.aspx?uid=99790f52-b157-4711-bdff-3544c604eed6http://www.bleepingcomputer.com/startups/nvcoi-22262.htmlhttp://www.bleepingcomputer.com/startups/nvcoi.exe-22262.htmlhttp://www.bleepingcomputer.com/startups/agehhtd-22261.htmlhttp://www.bleepingcomputer.com/startups/agehhtd.cat-22261.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/qwetab-22243.htmlhttp://www.bleepingcomputer.com/startups/qwetab.inf-22243.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/infoxmid-22242.htmlhttp://www.bleepingcomputer.com/startups/wseqnx.inf-22242.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ITCom_virtual_adapter-22204.htmlhttp://www.bleepingcomputer.com/startups/itcom.sys-22204.htmlhttp://www.bleepingcomputer.com/startups/FT_StarForce_Protector-22196.htmlhttp://www.bleepingcomputer.com/startups/fprot.sys-22196.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/hipsrv-22193.htmlhttp://www.bleepingcomputer.com/startups/hipsrv.mm-22193.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/userinfo32-22192.htmlhttp://www.bleepingcomputer.com/startups/userinfo32.ggt-22192.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/alcop_server-22160.htmlhttp://www.bleepingcomputer.com/startups/alcop.sys-22160.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/efidriver-22159.htmlhttp://www.bleepingcomputer.com/startups/efidriver.drv-22159.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/pcximg-22158.htmlhttp://www.bleepingcomputer.com/startups/pcximg.pif-22158.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/tap64drv-22144.htmlhttp://www.bleepingcomputer.com/startups/tap64drv-22144.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/tunnet-22143.htmlhttp://www.bleepingcomputer.com/startups/tunnet.ocx-22143.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/alcom-22107.htmlhttp://www.bleepingcomputer.com/startups/alcom.sys-22107.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/syswindrv-22106.htmlhttp://www.bleepingcomputer.com/startups/syswindrv.bin-22106.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/Advanced_Power_Management-22105.htmlhttp://www.bleepingcomputer.com/startups/Advanced_Power_Management-22105.htmlhttp://www.bleepingcomputer.com/startups/powermgmt.sys-22105.htmlhttp://www.bleepingcomputer.com/startups/sysrestore32.exe-22062.htmlhttp://www.bleepingcomputer.com/startups/qtprot-21984.htmlhttp://www.bleepingcomputer.com/startups/qtprot.sys-21984.htmlhttp://www.bleepingcomputer.com/startups/hdport-21983.htmlhttp://www.bleepingcomputer.com/startups/hdport.sys-21983.htmlhttp://www.bleepingcomputer.com/startups/wer32-21982.htmlhttp://www.bleepingcomputer.com/startups/jkghje.dll-21982.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/4fdw-21934.htmlhttp://www.bleepingcomputer.com/startups/4fdw.dll-21934.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/kavsvc-22276.htmlhttp://www.bleepingcomputer.com/startups/kavsvc.sys-22276.htmlhttp://www.threatexpert.com/report.aspx?uid=99790f52-b157-4711-bdff-3544c604eed6http://www.bleepingcomputer.com/startups/nvcoi-22262.htmlhttp://www.bleepingcomputer.com/startups/nvcoi.exe-22262.htmlhttp://www.bleepingcomputer.com/startups/agehhtd-22261.htmlhttp://www.bleepingcomputer.com/startups/agehhtd.cat-22261.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/qwetab-22243.htmlhttp://www.bleepingcomputer.com/startups/qwetab.inf-22243.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/infoxmid-22242.htmlhttp://www.bleepingcomputer.com/startups/wseqnx.inf-22242.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ITCom_virtual_adapter-22204.htmlhttp://www.bleepingcomputer.com/startups/itcom.sys-22204.htmlhttp://www.bleepingcomputer.com/startups/FT_StarForce_Protector-22196.htmlhttp://www.bleepingcomputer.com/startups/fprot.sys-22196.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/hipsrv-22193.htmlhttp://www.bleepingcomputer.com/startups/hipsrv.mm-22193.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/userinfo32-22192.htmlhttp://www.bleepingcomputer.com/startups/userinfo32.ggt-22192.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/alcop_server-22160.htmlhttp://www.bleepingcomputer.com/startups/alcop.sys-22160.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/efidriver-22159.htmlhttp://www.bleepingcomputer.com/startups/efidriver.drv-22159.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/pcximg-22158.htmlhttp://www.bleepingcomputer.com/startups/pcximg.pif-22158.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/tap64drv-22144.htmlhttp://www.bleepingcomputer.com/startups/tap64drv-22144.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/tunnet-22143.htmlhttp://www.bleepingcomputer.com/startups/tunnet.ocx-22143.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/alcom-22107.htmlhttp://www.bleepingcomputer.com/startups/alcom.sys-22107.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/syswindrv-22106.htmlhttp://www.bleepingcomputer.com/startups/syswindrv.bin-22106.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/Advanced_Power_Management-22105.htmlhttp://www.bleepingcomputer.com/startups/Advanced_Power_Management-22105.htmlhttp://www.bleepingcomputer.com/startups/powermgmt.sys-22105.htmlhttp://www.bleepingcomputer.com/startups/sysrestore32.exe-22062.htmlhttp://www.bleepingcomputer.com/startups/sysrestore32.exe-22062.htmlhttp://www.bleepingcomputer.com/startups/qtprot-21984.htmlhttp://www.bleepingcomputer.com/startups/qtprot.sys-21984.htmlhttp://www.bleepingcomputer.com/startups/hdport-21983.htmlhttp://www.bleepingcomputer.com/startups/hdport.sys-21983.htmlhttp://www.bleepingcomputer.com/startups/wer32-21982.htmlhttp://www.bleepingcomputer.com/startups/jkghje.dll-21982.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/4fdw-21934.htmlhttp://www.bleepingcomputer.com/startups/4fdw.dll-21934.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99

  • 7/31/2019 Rootkit List

    7/21

    Open Host Controller

    Miniport USB Driverohcuusb.sys X

    Identified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    Open Host Controller

    Miniport USB Driverohctusb.sys X

    Identified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    Open Host Controller

    Miniport USB Driver

    ohciusb.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    Open Host ControllerMiniport USB Driver

    ohbusb.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    Open Host Controller

    Miniport USB Driver(rev.d)

    ohdusb.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    Open Host ControllerMiniport USB Driver

    ohcusb.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    .lnk msmapibx32.exe XIdentified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    .lnk msmapiax32.exe X

    Identified as a variant of the

    Rootkit.Win32.Agent.uj rootkit.

    jnhjkfrn jnhjkfrn XAdded by the Backdoor.Rustock backdoor

    rootkit.

    ro0 Service ro0.exe XAdded by the Backdoor.HackDefender

    rootkit.

    fnhoje fnhoje XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    helps.dll X Added by the Hacktool.Rootkit rootkit.

    ellowtab ellowtab.txt XIdentified as a variant of the

    Backdoor.Rustock backdoor and rootkit.

    btstack btstack.ibs XAdded by the Mal/RKRustok-A worm and

    rootkit.

    qwer78 qwer78.sys XAdded by the Backdoor.Rustock backdoor

    rootkit.

    FPU emulation service x86emul.sys X A variant of the Haxdoor Trojan rootkit.

    sysldr sysldr XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen!C rootkit.

    srtwe srtwe.sys XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    khtml khtml.sys XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    retx2 retx2.sys XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    nested nested.sys XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    nax12 nax12.sys XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    http://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21933.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21933.htmlhttp://www.bleepingcomputer.com/startups/ohcuusb.sys-21933.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21932.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21932.htmlhttp://www.bleepingcomputer.com/startups/ohctusb.sys-21932.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21931.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21931.htmlhttp://www.bleepingcomputer.com/startups/ohciusb.sys-21931.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21930.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21930.htmlhttp://www.bleepingcomputer.com/startups/ohbusb.sys-21930.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver_rev.d-21929.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver_rev.d-21929.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver_rev.d-21929.htmlhttp://www.bleepingcomputer.com/startups/ohdusb.sys-21929.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21928.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21928.htmlhttp://www.bleepingcomputer.com/startups/ohcusb.sys-21928.htmlhttp://www.bleepingcomputer.com/startups/.lnk-21901.htmlhttp://www.bleepingcomputer.com/startups/msmapibx32.exe-21901.htmlhttp://www.bleepingcomputer.com/startups/.lnk-21900.htmlhttp://www.bleepingcomputer.com/startups/msmapiax32.exe-21900.htmlhttp://www.bleepingcomputer.com/startups/jnhjkfrn-21867.htmlhttp://www.bleepingcomputer.com/startups/jnhjkfrn-21867.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ro0_Service-21855.htmlhttp://www.bleepingcomputer.com/startups/ro0.exe-21855.htmlhttp://www.threatexpert.com/report.aspx?uid=3439d699-750b-49f3-8422-9db5311c3617http://www.bleepingcomputer.com/startups/fnhoje-21813.htmlhttp://www.bleepingcomputer.com/startups/not_used-21794.htmlhttp://www.bleepingcomputer.com/startups/helps.dll-21794.htmlhttp://www.threatexpert.com/report.aspx?uid=fe4cc2b1-5df5-4383-9f50-a27a0ef11a2bhttp://www.bleepingcomputer.com/startups/ellowtab-21742.htmlhttp://www.bleepingcomputer.com/startups/ellowtab.txt-21742.htmlhttp://www.bleepingcomputer.com/startups/btstack-21736.htmlhttp://www.bleepingcomputer.com/startups/btstack.ibs-21736.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/qwer78-21725.htmlhttp://www.bleepingcomputer.com/startups/qwer78.sys-21725.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/FPU_emulation_service-21715.htmlhttp://www.bleepingcomputer.com/startups/x86emul.sys-21715.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Haxdoor.Fam&threatid=44159http://www.bleepingcomputer.com/startups/sysldr-21713.htmlhttp://www.bleepingcomputer.com/startups/srtwe-21712.htmlhttp://www.bleepingcomputer.com/startups/srtwe.sys-21712.htmlhttp://www.bleepingcomputer.com/startups/khtml-21711.htmlhttp://www.bleepingcomputer.com/startups/khtml.sys-21711.htmlhttp://www.bleepingcomputer.com/startups/retx2-21710.htmlhttp://www.bleepingcomputer.com/startups/retx2.sys-21710.htmlhttp://www.bleepingcomputer.com/startups/nested-21709.htmlhttp://www.bleepingcomputer.com/startups/nested.sys-21709.htmlhttp://www.bleepingcomputer.com/startups/nax12-21708.htmlhttp://www.bleepingcomputer.com/startups/nax12.sys-21708.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21933.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21933.htmlhttp://www.bleepingcomputer.com/startups/ohcuusb.sys-21933.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21932.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21932.htmlhttp://www.bleepingcomputer.com/startups/ohctusb.sys-21932.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21931.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21931.htmlhttp://www.bleepingcomputer.com/startups/ohciusb.sys-21931.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21930.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21930.htmlhttp://www.bleepingcomputer.com/startups/ohbusb.sys-21930.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver_rev.d-21929.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver_rev.d-21929.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver_rev.d-21929.htmlhttp://www.bleepingcomputer.com/startups/ohdusb.sys-21929.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21928.htmlhttp://www.bleepingcomputer.com/startups/Open_Host_Controller_Miniport_USB_Driver-21928.htmlhttp://www.bleepingcomputer.com/startups/ohcusb.sys-21928.htmlhttp://www.bleepingcomputer.com/startups/.lnk-21901.htmlhttp://www.bleepingcomputer.com/startups/msmapibx32.exe-21901.htmlhttp://www.bleepingcomputer.com/startups/.lnk-21900.htmlhttp://www.bleepingcomputer.com/startups/msmapiax32.exe-21900.htmlhttp://www.bleepingcomputer.com/startups/jnhjkfrn-21867.htmlhttp://www.bleepingcomputer.com/startups/jnhjkfrn-21867.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/ro0_Service-21855.htmlhttp://www.bleepingcomputer.com/startups/ro0.exe-21855.htmlhttp://www.threatexpert.com/report.aspx?uid=3439d699-750b-49f3-8422-9db5311c3617http://www.bleepingcomputer.com/startups/fnhoje-21813.htmlhttp://www.bleepingcomputer.com/startups/fnhoje-21813.htmlhttp://www.bleepingcomputer.com/startups/not_used-21794.htmlhttp://www.bleepingcomputer.com/startups/helps.dll-21794.htmlhttp://www.threatexpert.com/report.aspx?uid=fe4cc2b1-5df5-4383-9f50-a27a0ef11a2bhttp://www.bleepingcomputer.com/startups/ellowtab-21742.htmlhttp://www.bleepingcomputer.com/startups/ellowtab.txt-21742.htmlhttp://www.bleepingcomputer.com/startups/btstack-21736.htmlhttp://www.bleepingcomputer.com/startups/btstack.ibs-21736.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/qwer78-21725.htmlhttp://www.bleepingcomputer.com/startups/qwer78.sys-21725.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2006-011309-5412-99http://www.bleepingcomputer.com/startups/FPU_emulation_service-21715.htmlhttp://www.bleepingcomputer.com/startups/x86emul.sys-21715.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Haxdoor.Fam&threatid=44159http://www.bleepingcomputer.com/startups/sysldr-21713.htmlhttp://www.bleepingcomputer.com/startups/sysldr-21713.htmlhttp://www.bleepingcomputer.com/startups/srtwe-21712.htmlhttp://www.bleepingcomputer.com/startups/srtwe.sys-21712.htmlhttp://www.bleepingcomputer.com/startups/khtml-21711.htmlhttp://www.bleepingcomputer.com/startups/khtml.sys-21711.htmlhttp://www.bleepingcomputer.com/startups/retx2-21710.htmlhttp://www.bleepingcomputer.com/startups/retx2.sys-21710.htmlhttp://www.bleepingcomputer.com/startups/nested-21709.htmlhttp://www.bleepingcomputer.com/startups/nested.sys-21709.htmlhttp://www.bleepingcomputer.com/startups/nax12-21708.htmlhttp://www.bleepingcomputer.com/startups/nax12.sys-21708.html

  • 7/31/2019 Rootkit List

    8/21

    jecsst jecsst.sys XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    fvelwow fvelwow.sys XIdentified as a variant of the

    Backdoor:Win32/Rustock.gen rootkit.

    USB2_04 nkv2.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.tj rootkit.

    agony wininit.sys X Added by the NTRootKit-K rootkit.

    ntndis ntndis.sys X Added by the Troj/RKProc-F rootkit.

    BASFNDD BASFNDD.sys XIdentified by Kaspersky Antivirus as a variant

    of the Rootkit.Win32.Agent.to malware.

    kprof kprof XAdded by the Trojan-Proxy.Win32.Wopla.ag

    rootkit.

    fak32 fak32.sys XA variant of the

    Backdoor:Win32/Rustock.gen malware.

    APC Power Management powerio.sys XIdentified as a variant of the RKit/Agent.X.5

    rootkit.

    ntio922 ntio922.sys XIdentified as a variant of the RKIT/Agent.EZ

    rootkit.

    ndisaluo ndisaluo.sys XIdentified as a variant of the TR/Rootkit.Gen

    rootkit.

    Object memory mapping8.0

    isodvstg.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    kcp kcp.sys X Added by the ROJ_ROOTKIT.EW rootkit.

    ntload v0.1 ntload.sys XIdentified as a variant of theTrojan.Ntrootkit.AL rootkit.

    mp3 audio mp32s.sys X A variant of the TR/Rootkit.Gen rootkit.

    srr srr.sys X Added by the Rootkit.Agent rootkit.

    dhlp dhlp.sys XIdentified as a variant of theWin32.Rootkit.Gen rootkit.

    Kernel TCP Filteringprotocol

    necsort.sys X A variant of the Troj/Haxdor-Gen rootkit.

    Nvdia Native Rendering nvnatv.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    NVidia XTLayer gateway nvnati.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    ctl_w32 ctl_w32.sys XIdentified as a variant of the

    Rootkit.Win32.Agent.pq rootkit.

    Object memory mapping8.0

    ati2kstg.sys X A variant of the Haxdoor rootkit.

    cjamkm cjamkm.sys XAdded by a variant of the Troj/NTRootK-CM

    rootkit.

    63cica 63cica.sys X Added by a variant of the Troj/NTRootK-CL

    http://www.bleepingcomputer.com/startups/jecsst-21707.htmlhttp://www.bleepingcomputer.com/startups/jecsst.sys-21707.htmlhttp://www.bleepingcomputer.com/startups/fvelwow-21706.htmlhttp://www.bleepingcomputer.com/startups/fvelwow.sys-21706.htmlhttp://www.bleepingcomputer.com/startups/USB2_04-21671.htmlhttp://www.bleepingcomputer.com/startups/nkv2.sys-21671.htmlhttp://www.bleepingcomputer.com/startups/agony-21657.htmlhttp://www.bleepingcomputer.com/startups/wininit.sys-21657.htmlhttp://www.threatexpert.com/report.aspx?uid=5cd53429-b717-40ab-a02d-686fc5f94952http://www.bleepingcomputer.com/startups/ntndis-21654.htmlhttp://www.bleepingcomputer.com/startups/ntndis.sys-21654.htmlhttp://www.sophos.com/virusinfo/analyses/trojrkprocf.htmlhttp://www.bleepingcomputer.com/startups/BASFNDD-21653.htmlhttp://www.bleepingcomputer.com/startups/BASFNDD.sys-21653.htmlhttp://www.bleepingcomputer.com/startups/kprof-21643.htmlhttp://www.bleepingcomputer.com/startups/kprof-21643.htmlhttp://www.threatexpert.com/report.aspx?uid=4c278f89-0799-4d74-b281-62272f91f975http://www.bleepingcomputer.com/startups/fak32-21637.htmlhttp://www.bleepingcomputer.com/startups/fak32.sys-21637.htmlhttp://www.bleepingcomputer.com/startups/APC_Power_Management-21612.htmlhttp://www.bleepingcomputer.com/startups/powerio.sys-21612.htmlhttp://www.bleepingcomputer.com/startups/ntio922-21609.htmlhttp://www.bleepingcomputer.com/startups/ntio922.sys-21609.htmlhttp://www.bleepingcomputer.com/startups/ndisaluo-21608.htmlhttp://www.bleepingcomputer.com/startups/ndisaluo.sys-21608.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-21467.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-21467.htmlhttp://www.bleepingcomputer.com/startups/isodvstg.sys-21467.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/kcp-21433.htmlhttp://www.bleepingcomputer.com/startups/kcp.sys-21433.htmlhttp://www.threatexpert.com/report.aspx?uid=af2b0a9e-faee-4719-bad6-1364b10aa21ehttp://www.bleepingcomputer.com/startups/ntload_v0.1-21392.htmlhttp://www.bleepingcomputer.com/startups/ntload.sys-21392.htmlhttp://www.bleepingcomputer.com/startups/mp3_audio-21357.htmlhttp://www.bleepingcomputer.com/startups/mp32s.sys-21357.htmlhttp://www.bleepingcomputer.com/startups/srr-21314.htmlhttp://www.bleepingcomputer.com/startups/srr.sys-21314.htmlhttp://www.threatexpert.com/report.aspx?uid=04603ebe-4ca7-4e54-ae99-ad3b007c2100http://www.bleepingcomputer.com/startups/dhlp-21288.htmlhttp://www.bleepingcomputer.com/startups/dhlp.sys-21288.htmlhttp://www.bleepingcomputer.com/startups/Kernel_TCP_Filtering_protocol-21138.htmlhttp://www.bleepingcomputer.com/startups/Kernel_TCP_Filtering_protocol-21138.htmlhttp://www.bleepingcomputer.com/startups/necsort.sys-21138.htmlhttp://www.sophos.com/virusinfo/analyses/trojhaxdorgen.htmlhttp://www.bleepingcomputer.com/startups/Nvdia_Native_Rendering-21021.htmlhttp://www.bleepingcomputer.com/startups/nvnatv.sys-21021.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/NVidia_XTLayer_gateway-21020.htmlhttp://www.bleepingcomputer.com/startups/nvnati.sys-21020.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/ctl_w32-20981.htmlhttp://www.bleepingcomputer.com/startups/ctl_w32.sys-20981.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20960.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20960.htmlhttp://www.bleepingcomputer.com/startups/ati2kstg.sys-20960.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/cjamkm-20940.htmlhttp://www.bleepingcomputer.com/startups/cjamkm.sys-20940.htmlhttp://www.sophos.com/security/analyses/trojntrootkcm.htmlhttp://www.bleepingcomputer.com/startups/63cica-20939.htmlhttp://www.bleepingcomputer.com/startups/63cica.sys-20939.htmlhttp://www.sophos.com/security/analyses/trojntrootkcl.htmlhttp://www.bleepingcomputer.com/startups/jecsst-21707.htmlhttp://www.bleepingcomputer.com/startups/jecsst.sys-21707.htmlhttp://www.bleepingcomputer.com/startups/fvelwow-21706.htmlhttp://www.bleepingcomputer.com/startups/fvelwow.sys-21706.htmlhttp://www.bleepingcomputer.com/startups/USB2_04-21671.htmlhttp://www.bleepingcomputer.com/startups/nkv2.sys-21671.htmlhttp://www.bleepingcomputer.com/startups/agony-21657.htmlhttp://www.bleepingcomputer.com/startups/wininit.sys-21657.htmlhttp://www.threatexpert.com/report.aspx?uid=5cd53429-b717-40ab-a02d-686fc5f94952http://www.bleepingcomputer.com/startups/ntndis-21654.htmlhttp://www.bleepingcomputer.com/startups/ntndis.sys-21654.htmlhttp://www.sophos.com/virusinfo/analyses/trojrkprocf.htmlhttp://www.bleepingcomputer.com/startups/BASFNDD-21653.htmlhttp://www.bleepingcomputer.com/startups/BASFNDD.sys-21653.htmlhttp://www.bleepingcomputer.com/startups/kprof-21643.htmlhttp://www.bleepingcomputer.com/startups/kprof-21643.htmlhttp://www.threatexpert.com/report.aspx?uid=4c278f89-0799-4d74-b281-62272f91f975http://www.bleepingcomputer.com/startups/fak32-21637.htmlhttp://www.bleepingcomputer.com/startups/fak32.sys-21637.htmlhttp://www.bleepingcomputer.com/startups/APC_Power_Management-21612.htmlhttp://www.bleepingcomputer.com/startups/powerio.sys-21612.htmlhttp://www.bleepingcomputer.com/startups/ntio922-21609.htmlhttp://www.bleepingcomputer.com/startups/ntio922.sys-21609.htmlhttp://www.bleepingcomputer.com/startups/ndisaluo-21608.htmlhttp://www.bleepingcomputer.com/startups/ndisaluo.sys-21608.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-21467.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-21467.htmlhttp://www.bleepingcomputer.com/startups/isodvstg.sys-21467.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/kcp-21433.htmlhttp://www.bleepingcomputer.com/startups/kcp.sys-21433.htmlhttp://www.threatexpert.com/report.aspx?uid=af2b0a9e-faee-4719-bad6-1364b10aa21ehttp://www.bleepingcomputer.com/startups/ntload_v0.1-21392.htmlhttp://www.bleepingcomputer.com/startups/ntload.sys-21392.htmlhttp://www.bleepingcomputer.com/startups/mp3_audio-21357.htmlhttp://www.bleepingcomputer.com/startups/mp32s.sys-21357.htmlhttp://www.bleepingcomputer.com/startups/srr-21314.htmlhttp://www.bleepingcomputer.com/startups/srr.sys-21314.htmlhttp://www.threatexpert.com/report.aspx?uid=04603ebe-4ca7-4e54-ae99-ad3b007c2100http://www.bleepingcomputer.com/startups/dhlp-21288.htmlhttp://www.bleepingcomputer.com/startups/dhlp.sys-21288.htmlhttp://www.bleepingcomputer.com/startups/Kernel_TCP_Filtering_protocol-21138.htmlhttp://www.bleepingcomputer.com/startups/Kernel_TCP_Filtering_protocol-21138.htmlhttp://www.bleepingcomputer.com/startups/necsort.sys-21138.htmlhttp://www.sophos.com/virusinfo/analyses/trojhaxdorgen.htmlhttp://www.bleepingcomputer.com/startups/Nvdia_Native_Rendering-21021.htmlhttp://www.bleepingcomputer.com/startups/nvnatv.sys-21021.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/NVidia_XTLayer_gateway-21020.htmlhttp://www.bleepingcomputer.com/startups/nvnati.sys-21020.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/ctl_w32-20981.htmlhttp://www.bleepingcomputer.com/startups/ctl_w32.sys-20981.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20960.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20960.htmlhttp://www.bleepingcomputer.com/startups/ati2kstg.sys-20960.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/cjamkm-20940.htmlhttp://www.bleepingcomputer.com/startups/cjamkm.sys-20940.htmlhttp://www.sophos.com/security/analyses/trojntrootkcm.htmlhttp://www.bleepingcomputer.com/startups/63cica-20939.htmlhttp://www.bleepingcomputer.com/startups/63cica.sys-20939.htmlhttp://www.sophos.com/security/analyses/trojntrootkcl.html

  • 7/31/2019 Rootkit List

    9/21

    rootkit.

    ke32psag ke32psag.sys X A variant of the Haxdoor rootkit.

    ZZZdrv_lich lich.sys X A variant of the Trojan.NtRootKit rootkit.

    IPv6 BT converter xdrve9d.sys X A variant of the Haxdoor rootkit.

    ini910p ini910p.sys X A variant of the Ascesso Rootkit.

    Windows Update Check syslodr.exe XIdentified as a variant of the

    W32/Rootkit.ASA.dropper rootkit.

    g_rkt win32_rkt.sys XIdentified as a variant of the

    Win32.Rootkit.Agent.MO rootkit.

    noskrnl noskrnl.sys X

    Added by the Trojan.Peacomm.D rootkit.Trojan.Peacomm.D is a Trojan horse that

    gathers system information and emailaddresses from the compromised computer.

    NdisWon NdisWon.sys X Identified as a variant of the Ascesso rootkit.

    RGB video output ycsrga.sys X Added by a variant of the Goldun.Famrootkit.

    YVPB video output ycsrgb.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    Object memory mapping

    8.0ati2psag.sys X

    Added by a variant of the Goldun.Fam

    rootkit.

    asc3550o asc3550o.sys XIdentified as a variant of the

    Trojan.Rootkit.Agent rootkit.

    asc355O asc355O.sys XIdentified as the Trojan.Rootkit.Agent.NCY

    rootkit.

    Oddysee ntoskrnl.exe:kernel X

    Added by the W32.Focelto.A rootkit. This

    rootkit is a Alternate Data Stream file whichrequires certain tools to remove it. The

    ntoskrnl.exe it is attached to is a legitimateMicrosoft file and should not be removed.

    sygate.exe N

    Added by the W32.Focelto.A worm.W32.Focelto.A is a worm that spreads

    through Microsoft instant messaging clientsand uses Rootkit techniques. It opens a back

    door on the compromised computer. Thisinfection is bundled with the

    ntoskrnl.exe:kernel ADS rootkit.

    PPA Virtial rendering nvsystl3.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    Rege memory mapper flashsmt.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    wsnpoem.sys wsnpoem.sys XIdentified as the

    Backdoor.Win32.Small.lu/Rootkit.V malware.

    Megadrv3 srosa.sys X Added by the W32.Beagle.GM rootkit.

    srosa srosa.sys X Added by the TROJ_ROOTKIT.JS rootkit.

    http://www.bleepingcomputer.com/startups/ke32psag-20912.htmlhttp://www.bleepingcomputer.com/startups/ke32psag.sys-20912.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/ZZZdrv_lich-20855.htmlhttp://www.bleepingcomputer.com/startups/lich.sys-20855.htmlhttp://www.bleepingcomputer.com/startups/IPv6_BT_converter-20838.htmlhttp://www.bleepingcomputer.com/startups/xdrve9d.sys-20838.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/ini910p-20805.htmlhttp://www.bleepingcomputer.com/startups/ini910p.sys-20805.htmlhttp://www.bleepingcomputer.com/startups/Windows_Update_Check-20592.htmlhttp://www.bleepingcomputer.com/startups/syslodr.exe-20592.htmlhttp://www.bleepingcomputer.com/startups/g_rkt-20559.htmlhttp://www.bleepingcomputer.com/startups/win32_rkt.sys-20559.htmlhttp://www.bleepingcomputer.com/startups/noskrnl-20485.htmlhttp://www.bleepingcomputer.com/startups/noskrnl.sys-20485.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2007-103120-0804-99&tabid=2http://www.bleepingcomputer.com/startups/NdisWon-20443.htmlhttp://www.bleepingcomputer.com/startups/NdisWon.sys-20443.htmlhttp://www.bleepingcomputer.com/startups/RGB_video_output-20168.htmlhttp://www.bleepingcomputer.com/startups/ycsrga.sys-20168.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/YVPB_video_output-20167.htmlhttp://www.bleepingcomputer.com/startups/ycsrgb.sys-20167.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20030.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20030.htmlhttp://www.bleepingcomputer.com/startups/ati2psag.sys-20030.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/asc3550o-20027.htmlhttp://www.bleepingcomputer.com/startups/asc3550o.sys-20027.htmlhttp://www.bleepingcomputer.com/startups/asc355O-20026.htmlhttp://www.bleepingcomputer.com/startups/asc355O.sys-20026.htmlhttp://www.bleepingcomputer.com/startups/Oddysee-19963.htmlhttp://www.bleepingcomputer.com/startups/ntoskrnl.exe_kernel-19963.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-091816-1722-99&tabid=2http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/startups/Random_CLSID-19962.htmlhttp://www.bleepingcomputer.com/startups/sygate.exe-19962.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-091816-1722-99&tabid=2http://www.bleepingcomputer.com/startups/ntoskrnl.exe_kernel-19963.htmlhttp://www.bleepingcomputer.com/startups/PPA_Virtial_rendering-19954.htmlhttp://www.bleepingcomputer.com/startups/nvsystl3.sys-19954.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/Rege_memory_mapper-19953.htmlhttp://www.bleepingcomputer.com/startups/flashsmt.sys-19953.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/wsnpoem.sys-19899.htmlhttp://www.bleepingcomputer.com/startups/wsnpoem.sys-19899.htmlhttp://www.bleepingcomputer.com/startups/Megadrv3-19884.htmlhttp://www.bleepingcomputer.com/startups/srosa.sys-19884.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-091411-1857-99&tabid=2http://www.bleepingcomputer.com/startups/srosa-19857.htmlhttp://www.bleepingcomputer.com/startups/srosa.sys-19857.htmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.VX&VSect=Thttp://www.bleepingcomputer.com/startups/ke32psag-20912.htmlhttp://www.bleepingcomputer.com/startups/ke32psag.sys-20912.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/ZZZdrv_lich-20855.htmlhttp://www.bleepingcomputer.com/startups/lich.sys-20855.htmlhttp://www.bleepingcomputer.com/startups/IPv6_BT_converter-20838.htmlhttp://www.bleepingcomputer.com/startups/xdrve9d.sys-20838.htmlhttp://www.f-secure.com/v-descs/haxdoor.shtmlhttp://www.bleepingcomputer.com/startups/ini910p-20805.htmlhttp://www.bleepingcomputer.com/startups/ini910p.sys-20805.htmlhttp://www.bleepingcomputer.com/startups/Windows_Update_Check-20592.htmlhttp://www.bleepingcomputer.com/startups/syslodr.exe-20592.htmlhttp://www.bleepingcomputer.com/startups/g_rkt-20559.htmlhttp://www.bleepingcomputer.com/startups/win32_rkt.sys-20559.htmlhttp://www.bleepingcomputer.com/startups/noskrnl-20485.htmlhttp://www.bleepingcomputer.com/startups/noskrnl.sys-20485.htmlhttp://www.symantec.com/business/security_response/writeup.jsp?docid=2007-103120-0804-99&tabid=2http://www.bleepingcomputer.com/startups/NdisWon-20443.htmlhttp://www.bleepingcomputer.com/startups/NdisWon.sys-20443.htmlhttp://www.bleepingcomputer.com/startups/RGB_video_output-20168.htmlhttp://www.bleepingcomputer.com/startups/ycsrga.sys-20168.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/YVPB_video_output-20167.htmlhttp://www.bleepingcomputer.com/startups/ycsrgb.sys-20167.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20030.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-20030.htmlhttp://www.bleepingcomputer.com/startups/ati2psag.sys-20030.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/asc3550o-20027.htmlhttp://www.bleepingcomputer.com/startups/asc3550o.sys-20027.htmlhttp://www.bleepingcomputer.com/startups/asc355O-20026.htmlhttp://www.bleepingcomputer.com/startups/asc355O.sys-20026.htmlhttp://www.bleepingcomputer.com/startups/Oddysee-19963.htmlhttp://www.bleepingcomputer.com/startups/ntoskrnl.exe_kernel-19963.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-091816-1722-99&tabid=2http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/startups/Random_CLSID-19962.htmlhttp://www.bleepingcomputer.com/startups/sygate.exe-19962.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-091816-1722-99&tabid=2http://www.bleepingcomputer.com/startups/ntoskrnl.exe_kernel-19963.htmlhttp://www.bleepingcomputer.com/startups/PPA_Virtial_rendering-19954.htmlhttp://www.bleepingcomputer.com/startups/nvsystl3.sys-19954.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/Rege_memory_mapper-19953.htmlhttp://www.bleepingcomputer.com/startups/flashsmt.sys-19953.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/wsnpoem.sys-19899.htmlhttp://www.bleepingcomputer.com/startups/wsnpoem.sys-19899.htmlhttp://www.bleepingcomputer.com/startups/Megadrv3-19884.htmlhttp://www.bleepingcomputer.com/startups/srosa.sys-19884.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-091411-1857-99&tabid=2http://www.bleepingcomputer.com/startups/srosa-19857.htmlhttp://www.bleepingcomputer.com/startups/srosa.sys-19857.htmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.VX&VSect=T

  • 7/31/2019 Rootkit List

    10/21

    protect Protect.sys X A variant of the Trojan.NtRootKit.361 rootkit.

    asc355 asc355.sys X A variant of the TROJ_AGENT.AAND rootkit.

    NVidia TLayer gateway

    A2nvmapi.sys X

    Added by a variant of the Goldun.Fam

    rootkit.

    Memory SCN ovwscn.sys X Added by a variant of the Goldun.Famrootkit.

    Memory SCN X1 ovrscn.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    ro0 Service ro0.exe X Identified as a Spambot variant.

    MSDV Driver msdvdr.pif X A variant of the HackerDefender rootkit.

    SysLibrary DefLib.sys X Added by the Troj/NtRootK-CA rootkit.

    Object memory mapping8.0

    ati2ksag.sys XAdded by a variant of the Goldun.Fam

    rootkit.

    ytghyuiokjnmvrq wincab.sys X

    Added by the Mal/RootKit-A rootkit. The

    service and display name are typicallyrandom.

    spooldr spooldr.sys X Added by the Trojan.Peacomm.C rootkit.

    yscpsdfh zscpsdfh.sys XAdded by the Troj/RKPort-Fam Trojan

    rootkit.

    yvaeypeb zvaeypeb.sys X Added by the Troj/Bckdr-QJB rootkit.

    yxwituxh zxwituxh.sys X Added by the Troj/Dropper-QV rootkit.

    WINFBI32.dll X

    Added by the Backdoor.Ginwui.F backdoor.Backdoor.Ginwui.F is a Trojan horse that

    opens a back door and uses rootkittechniques to hide its presence.

    atietbxx atietbxx.sys X A variant of the Goldun rootkit.

    symavc32 symavc32.sys X Rootkit added by the Troj/Agent-FZV Trojan.

    UPS COMcontrol upsctrl3.sys X A variant of the Goldun rootkit.

    rlx6dob6 rlx6dob6.sys X A variant of the Goldun rootkit.

    IsDrv118 IsDrv118.sys X Added by the Troj/NTRootK-BU rootkit.

    runtime2 runtim2.sys X Added by the Troj/Rootkit-BI rootkit.

    HDTV video output mswsaf.sys XRootkit used by a variant of the Goldun

    Trojan.

    Windows NotificationService

    winntify.exe X Rootkit found with SmitFraud infections.

    windbg48 windbg48.sys X Added by the Troj/RKAgen-A rootkit.

    Local Network Spooler lspooldrv.sys X A variant of the Hacker Defender rootkit.

    xpdx system driver xpdx.sys X Added by the Troj/Rustok-B rootkit.

    atixdaxx atixdaxx.dll XA variant of the Goldun Trojan. This infection

    utilizes the atixdbxx.sys rootkit to hide itself.

    http://www.bleepingcomputer.com/startups/protect-19847.htmlhttp://www.bleepingcomputer.com/startups/Protect.sys-19847.htmlhttp://www.bleepingcomputer.com/startups/asc355-19846.htmlhttp://www.bleepingcomputer.com/startups/asc355.sys-19846.htmlhttp://www.bleepingcomputer.com/startups/NVidia_TLayer_gateway_A2-19781.htmlhttp://www.bleepingcomputer.com/startups/NVidia_TLayer_gateway_A2-19781.htmlhttp://www.bleepingcomputer.com/startups/nvmapi.sys-19781.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/Memory_SCN-19779.htmlhttp://www.bleepingcomputer.com/startups/ovwscn.sys-19779.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/Memory_SCN_X1-19778.htmlhttp://www.bleepingcomputer.com/startups/ovrscn.sys-19778.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/ro0_Service-19720.htmlhttp://www.bleepingcomputer.com/startups/ro0.exe-19720.htmlhttp://www.bleepingcomputer.com/startups/MSDV_Driver-19708.htmlhttp://www.bleepingcomputer.com/startups/msdvdr.pif-19708.htmlhttp://www.bleepingcomputer.com/startups/SysLibrary-19681.htmlhttp://www.bleepingcomputer.com/startups/DefLib.sys-19681.htmlhttp://www.sophos.com/security/analyses/trojntrootkca.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-19623.htmlhttp://www.bleepingcomputer.com/startups/Object_memory_mapping_8.0-19623.htmlhttp://www.bleepingcomputer.com/startups/ati2ksag.sys-19623.htmlhttp://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858http://www.bleepingcomputer.com/startups/ytghyuiokjnmvrq-19609.htmlhttp://www.bleepingcomputer.com/startups/wincab.sys-19609.htmlhttp://www.sophos.com/security/analyses/malrootkita.htmlhttp://www.bleepingcomputer.com/startups/spooldr-19591.htmlhttp://www.bleepingcomputer.com/startups/spooldr.sys-19591.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-082212-2341-99&tabid=2http://www.bleepingcomputer.com/startups/yscpsdfh-19578.htmlhttp://www.bleepingcomputer.com/startups/zscpsdfh.sys-19578.htmlhttp://www.sophos.com/virusinfo/analyses/trojrkportfam.htmlhttp://www.bleepingcomputer.com/startups/yvaeypeb-19503.htmlhttp://www.bleepingcomputer.com/startups/zvaeypeb.sys-19503.htmlhttp://www.sophos.com/security/analyses/trojbckdrqjb.htmlhttp://www.bleepingcomputer.com/startups/yxwituxh-19494.htmlhttp://www.bleepingcomputer.com/startups/zxwituxh.sys-19494.htmlhttp://www.sophos.com/security/analyses/trojdropperqv.htmlhttp://www.bleepingcomputer.com/startups/not_used-19469.htmlhttp://www.bleepingcomputer.com/startups/WINFBI32.dll-19469.htmlhttp://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-081015-3315-99&tabid=2http://www.bleepingcomputer.com/startups/atietbxx-19454.htmlhttp://www.bleepingcomputer.com/startups/atietbxx.sys-19454.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2005-010715-5330-99http://www.bleepingcomputer.com/startups/symavc32-19405.htmlhttp://www.bleepingcomputer.com/startups/symavc32.sys-19405.htmlhttp://www.sophos.com/security/analyses/trojagentfzv.htmlhttp://www.bleepingcomputer.com/startups/UPS_COMcontrol-19382.htmlhttp://www.bleepingcomputer.com/startups/upsctrl3.sys-19382.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2005-010715-5330-99http://www.bleepingcomputer.com/startups/rlx6dob6-19381.htmlhttp://www.bleepingcomputer.com/startups/rlx6dob6.sys-19381.htmlhttp://www.symantec.com/security_response/writeup.jsp?docid=2005-010715-5330-99http://www.bleepingcomputer.com/startups/IsDrv118-19227.htmlhttp://www.bleepingcomputer.com/startups/IsDrv118.sys-19227.htmlhttp://www.sophos.com/security/analyses/trojntrootkbu.htmlhttp://www.bleepingcomputer.com/startups/runtime2-19089.htmlhttp://www.bleepingcomputer.com/startups/runtim2.sys-19089.htmlhttp://www.sophos.com/security/analyses/trojrootkitbi.htmlhttp://www.bleepingcomputer.com/startups/HDTV_video_output-19061.htmlhttp://www.bleepingcomputer.com/startups/mswsaf.sys-19061.htmlhttp://www.bleepingcomputer.com/startups/Windows_Notification_Service-18985.htmlhttp://www.bleepingcomputer.com/startups/Windows_Notification_Service-18985.htmlhttp://www.bleepingcomputer.com/startups/winntify.exe-18985.htmlhttp://www.bleepingcomputer.com/startups/windbg48-18907.htmlhttp://www.bleepingcomputer.com/startups/windbg48.sys-18907.htmlhttp://www.sophos.com/security/analyses/trojrkagena.htmlhttp://www.bleepingcomputer.com/startups/Local_Network_Spooler-18850.htmlhttp://www.bleepingcomputer.com/startups/lspooldrv.sys-18850.htmlhttp://www.sophos.com/security/analyses/hackerdefender.htmlhttp://www.bleepingcomputer.com/startups/xpdx_system_driver-18517.htmlhttp://www.bleepingcomputer.com/startups/xpdx.sys-18517.htmlhttp://www.sophos.com/security/analyses/trojrustokb.htmlhttp://www.bleepingcomputer.com/startups/atixdaxx-18502.htmlhttp://www.bleepingcom

Rootkit and Botnet

Rootkit and Botnet

A Comparitive Analysis of Rootkit Detection Techniquesindex-of.co.uk/Rootkit/A Comparitive Analysis of Rootkit Detection Techniques.pdf · any methodical testing of these software

A Comparitive Analysis of Rootkit Detection Techniquesindex-of.co.uk/Rootkit/A Comparitive Analysis of Rootkit Detection Techniques.pdf · any methodical testing of these software

2012-08-14 Experimenting with live Cyberattackers for ... · rootkit test rootkit test rootkit test rootkit test rootkit 26 close ftp 27 . 29 30 . decompress decompress secureport

2012-08-14 Experimenting with live Cyberattackers for ... · rootkit test rootkit test rootkit test rootkit test rootkit 26 close ftp 27 . 29 30 . decompress decompress secureport

About rootkit

About rootkit

TDL3 Rootkit Background

TDL3 Rootkit Background

Linux kernel-rootkit-dev - Wonokaerun

Linux kernel-rootkit-dev - Wonokaerun

Rootkit 101 - 2nd Edition

Rootkit 101 - 2nd Edition

Rootkit Identification

Rootkit Identification

Automated defense from rootkit attacks

Automated defense from rootkit attacks

Rootkit on linux_x86_v2.6

Rootkit on linux_x86_v2.6

Rootkit Final

Rootkit Final

Rootkit - korenska orodja

Rootkit - korenska orodja

Yet Another Android Rootkit

Yet Another Android Rootkit

Rootkit for the Masses

Rootkit for the Masses

Rootkit 102 - Kernel-Based Rootkit

Rootkit 102 - Kernel-Based Rootkit

MBR rootkit

MBR rootkit

Research on deception in defense of information systems · rootkit test rootkit test rootkit test rootkit test rootkit 26 close ftp 27 29 30 decompress secureport decompress secureport

Research on deception in defense of information systems · rootkit test rootkit test rootkit test rootkit test rootkit 26 close ftp 27 29 30 decompress secureport decompress secureport

Rootkit presentation

Rootkit presentation

Uroburos: the snake rootkit

Uroburos: the snake rootkit

Rootkit on Linux X86 v2.6

Rootkit on Linux X86 v2.6