Follow:

 

Trojan:Win32/Ghodow.A


Trojan:Win32/Ghodow.A is a trojan that modifies the hard disk's MBR (Master Boot Record) and unhooks various SSDT entries. It downloads and executes arbitrary files from a remote host.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:Win32/Ghodow.A is a trojan that modifies the hard disk's MBR (Master Boot Record) and unhooks various SSDT entries. It downloads and executes arbitrary files from a remote host.
Installation
Trojan:Win32/Ghodow.A may consist of several components. When executed, it may drop the following files in the infected computer:
 
Payload
Downloads and executes arbitrary files
Trojan:Win32/Ghodow.A's component file "atixx.sys" injects the other component file "000000000" to a chosen process to download arbitrary files.
 
Modifies MBR (Master Boot Record)
Trojan:Win32/Ghodow.A's component file "atixx.sys" modifies the hard disk's MBR (Master Boot Record) and writes a loader portion directly to disk sectors.
 
Unhooks SSDT(System Service Descriptor Table) entries
Trojan:Win32/Ghodow.A unhooks the following SSDT entries, which may be used by security related software:
 
  • PsSetLoadImageNotifyRoutine
  • PsSetCreateProcessNotifyRoutine
  • PsSetCreateThreadNotifyRoutine
Additional information
Trojan:Win32/Ghodow.A only attempts to affect Windows XP systems.
 
Analysis by Chun Feng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • %ProgramFiles%\msdn\atixx.sys
    • %ProgramFiles%\msdn\atixi.sys
    • %ProgramFiles%\msdn\000000000

Prevention


Alert level: Severe
First detected by definition: 1.79.130.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 18, 2010
This entry was first published on: Mar 31, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.KillAV.fqi (Kaspersky)
  • Win32/Bvatik.A (CA)
  • Win32/Dalixi.A (ESET)
  • Trojan.Win32.Killav (Ikarus)
  • Trojan.Win32.KillAV.csw (Rising AV)
  • Trojan.Win32.Killav (Sunbelt Software)
  • Trojan.Mebratix (Symantec)
  • TROJ_KILLAV.AJF (Trend Micro)