VirTool:WinNT/Syspro.A is a component of BrowserModifier:Win32/CommonName, unwanted software that mainly tracks Internet usage for marketing purposes, while providing advertising and search assistance with typed keywords. VirTool:WinNT/Syspro.A is installed via a Nullsoft installation program (NSIS archive).
VirTool:WinNT/Syspro.A is a kernel mode rootkit that may exist as a file WINIK.SYS and hide processes, files and registry keys. WinNT/Syspro.A intercepts registry system calls and attaches to file system driver to filter the file IO requests.
Installation
VirTool:WinNT/Syspro.A is installed as a component of an installation of BrowserModifier:Win32/CommonName. When CommonName is installed, it creates an installation folder in the %ProgramFiles% folder in the format '%ProgramFiles%\<8 random characters>', e.g. ..\vwrpwxvw.
The NSIS installer will write files into the newly created folder:
..\babe.dat
..\cnml.exe (73,728 bytes)
..\dfs.dat
..\exit.dat
..\%8_random_lettersdigits%.exe (i.e. Mh8GDwQY.exe, 20,480 bytes)
..\obj.dat
..\profile.dat
..\url1.dat
..\url2.dat
..\url8.dat
..\url9.dat
..\%8_random_lettersdigits%.dll (i.e. YQwDG8hM.dll, 143,360 bytes)
..\%8_random_lettersdigits%.exe (i.e. YQwDG8hM.exe, 57,344 bytes)
Next, the NSIS installer will drop VirTool:WinNT/Syspro.A into the <system folder>\drivers folder:
<system folder>\drivers\winik.sys (14,976 bytes)
A registry entry is created to assist in loading the kernel-mode driver:
Adds value: WinIK
In subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
Additional Information
When VirTool:WinNT/Syspro.A is loaded, it performs the following operations:
