VirTool:WinNT/Mader.gen!A

VirTool:WinNT/Mader.gen!A is a generic detection for a rootkit that may be bundled or installed by other malware. This rootkit protects itself from being detected or removed by hooking system calls and may download other components.

In the wild, this rootkit has been observed to be installed when visiting adult-content or gambling related websites and via e-mail spam. WinNT/Mader.gen!A is known to be bundled with Adware:Win32/ZenoSearch. This rootkit may also be downloaded and installed by the following threats:

 

Worm:Win32/Flibot.gen!A

 

The rootkit may be present as one of the following files:

 

<system folder>\drivers\amdk77.sys
<system folder>\drivers\atapii.sys
<system folder>\drivers\atmunii.sys
<system folder>\drivers\dmboott.sys
<system folder>\drivers\dxapii.sys
<system folder>\drivers\httpp.sys
<system folder>\drivers\intelppmm.sys
<system folder>\drivers\ipsecc.sys
<system folder>\drivers\irenumm.sys
<system folder>\drivers\ksecddd.sys
<system folder>\drivers\msgpcc.sys
<system folder>\drivers\nic13944.sys
<system folder>\drivers\nwlnkfwdd.sys
<system folder>\drivers\nwlnkspxx.sys
<system folder>\drivers\nwrdrr.sys
<system folder>\drivers\p33.sys
<system folder>\drivers\pcii.sys
<system folder>\drivers\rasl2tpp.sys
<system folder>\drivers\tcpip66.sys
<system folder>\update.exe

VirTool:WinNT/Mader.gen!A hides its presence by hooking the following system functions via the SSDT in order to hide itself from discovery and to protect itself from deletion or removal:

VirTool:WinNT/Mader.gen!A attemtps to download other components from a predefined remote website. In the wild, this malware was observed to retrieve files from the domain 'in-t-e-r-n-e-t.com'.