Backdoor:WinNT/Rustock.C

Backdoor:WinNT/Rustock.C is a generic detection for a driver component of Win32/Rustock. Win32/Rustock is a family of rootkit-enabled backdoor trojans that have historically been used to send large volumes of spam from infected computers. More recently, Rustock variants have been associated with Rogue Security applications.

 

This trojan commonly consists of three components that are embedded within a single binary - the dropper (which runs in user mode), the driver's installer, and the actual rootkit driver, (both of which run in kernel mode). The rootkit driver is dropped into the '<system folder>\drivers' folder and installed as a service. The driver filename is commonly named lzx32.sys or xpdx.sys and loaded as service by modifying the registry as in the following example:

 

Adds value: ImagePath

With data: "%SystemRoot%\System32\drivers\lzx32.sys"

Adds value: Type

With data: "1"

Adds value: "Start"

With data: "1"

Adds value: "ErrorControl"

With data: "1"

To subkey: HKLM\SYSTEM\CurrentControlSet\Services\lzx32

 

Hides Components

This rootkit driver hooks system functions to further hide itself and the components of the rootkit from detection. Please see more details Win32/Rustock family entry.

 

Analysis by Hong Jia