Threat behavior
VirTool:WinNT/Xantvi.gen!A is a generic detection for a kernel-mode rootkit driver that terminates processes and attempts to hide the presence of related malware on an affected machine.
Installation
WinNT/Xantvi.gen!A is used by other malware such as Trojan:Win32/Wantvi, in order to hide its files from an affected user. It may be dropped to '<system folder>\drivers\beep.sys' and is loaded by the associated malware.
Payload
Uses Stealth
WinNT/Xantvi.gen!A hides the presence of itself and related malware on an affected machine.
Terminates Processes
WinNT/Xantvi.gen!A terminates processes that match the following process names if they are loaded into memory:
\spdt.sys
\gmer.sys
\taskmon.sys
\kernelw.sys
\wowfx.dll
\pctfw2.sys
\symtdi.sys
\symevent.sys
\fltmgr.sys
\bmbemuhl
\ip6fw.sys
\fmtr.sys
\sdhelper.dll
\wincom32.sys
\rdriv.sys
\mpfirewall.sys
\sandbox.sys
\filtnt.sys
\bc_tdi_f.sys
\bc_prt_f.sys
\bc_pat_f.sys
\bc_ngn.sys
\bc_ip_f.sys
\bc_hassh_f.sys
\bcftdi.sys
\bcfilter.sys
\watchdog.sys
\vsdatant.sys
\kmd.exe
\winavxx.exe
\bolenjx.exe
\bolenja.exe
\rootkit_detektive.exe
\autoruns.exe
\vundofix.exe
\trjscan.exe
\tpsrv.exe
\thguard.exe
\symwsc.exe
\superantispyware.exe
\spyblock.dll
\spbbcsvc.exe
\sndsrvc.exe
\sndmon.exe
\sdtrayapp.exe
\sbserv.exe
\pskmssvc.exe
\psimsvc.exe
\pshost.exe
\psctrls.exe
\pifsvc.exe
\pavsrv51.exe
\pavprsrv.exe
\lucoms~1.exe
\lsetup.exe
\ccsvchst.exe
\ccproxy.exe
\avengine.exe
\avciman.exe
\ashwebsv.exe
\ashserv.exe
\ashmaisv.exe
\apvxdwin.exe
\appsvc32.exe
\aluschedulersvc.exe
\gmer.exe
\killbox.exe
\avgupsvc.exe
\avgamsvr.exe
\avgw.exe
\avgcc.exe
\msmpeng.exe
\printer.exe
\svcntaux.exe
\swdsvc.exe
\avgas.exe
\symlcsvc.exe
\fwservice.exe
\prevxcsi.exe
navilog
\navapsvc.exe
\globkill.exe
\dss.exe
\procmast.exe
\combo.exe
\defwatch.exe
\ccsetmgr.exe
\ccpwdsvc.exe
\sdfix.exe
\zcomservice.exe
\zcodec.exe
\zclient.exe
\spywaredetector.exe
\spybotsd.exe
\spybot.exe
\savscan.exe
\sandboxieserver.exe
\rtvscan.exe
\pboptions.exe
\pbcpl.exe
\pavfnsvr.exe
\overspy.exe
\overseer.exe
\outpost.exe
\ofcdog.exe
\nvctrl.exe
\nsmdtr.exe
\nortonupdate.exe
\nod32ra.exe
\nod32krn.exe
\no32mon.exe
\nlsupervisorpro.exe
\njexplor.exe
\nisum.exe
\navw32.exe
\navstub.exe
\navapp.exe
\myvideodaily2.exe
\mwsoemon.exe
\msssrv.exe
\mcshield.exe
\malswep.exe
\malscr.exe
\magiclink.exe
\lsass32.exe
\lsasrv.exe
\livesrv.exe
\little_helper2.exe
\kpf4ss.exe
\klswd.exe
\klpf.exe
\kavsvc.exe
\kavss.exe
\kav.exe
\issvc.exe
\isnotify.exe
\ismini.exe
\inetupd.exe
\icmon.exe
\iao.exe
\hwpe2.exe
\hitvirus.exe
\hijackthis
\hbtoeaddon.exe
\hackmon.exe
\gcasserv.exe
\gcasdtserv.exe
\fsm32.exe
\fsbl.exe
\fsav32.exe
\fatbuster.exe
\farsighter.exe
\f-stopw.exe
\f-sched.exe
\eyetidecontroller.exe
\dsentry.exe
\cureit.exe
\crypserv.exe
\cpf.exe
\cpd.exe
\comboxfix.exe
\combofix
\ccpxysvc.exe
\ccimscan.exe
\ccevtmgr.exe
\ccapp.exe
\cavtray.exe
\cavrid.exe
\bdss.exe
\bdmcon.exe
\avz.exe
\avsched32.exe
\avpm.exe
\avp.exe
\avpcc.exe
\avgemc.exe
\avgagent.exe
Analysis by Hong Jia
Prevention
