Sunday, July 15, 2007

Some new malware - a.exe, gop.exe etc

We have some "new" malware this time, ranging from trojans to rootkits. One of them is a trojan which detected by some of the AVs as Trojan.Shadu. The dropped file has is named as a.exe. More information about this can be obtained here.

And, another one is a trojan which drops a rootkit. The trojan dropper drops a file named Gop.exe which installs a rootkit. AntiVir detects Gop.exe as TR/Small.DBY.DB. The rootkit driver that's installed by Gop.exe is named as vdo_4e2b-928.sys (generally, it will be named as vdo_[random_numbers]-[random_numbers].sys) and belongs to Win32.Tibs family. More information about this can be obtained here.

Labels: , ,


Blogger Phil said...

although my system doesn't have a.exe or gop.exe I do have vdo_3526-4ef8.sys running.

I have searched through the hard disk and the registry and can't find a single entry for this file but it is getting loaded as a service (I have a program that displays ALL services).

vdo_3526-4ef8 first disables the firewall in defender, it changes the registry so that the firwall service doesn't get started (it disables the service).

If you restart the firewall service you will eventually get a blue screen of death with a 'page fault in non paged memory' error... this is what led me to find this bugger!

I have 5 minidump files and each one shows vdo_3526-4ef8 as the active process at the time of the crash.

I have run 3 AV programs and none of them have detected this even though AVAST detected it on one of your other posts.

I think another process is spawning vdo_3526-4ef8 then renaming the file to something else to keep it hidden.

My system does not have the a.exe, gop.exe or syso*.exe payload files that you have described.


phil dot petree at gmail dot com

8:59 AM  
Blogger swatkat said...

Hi phil,
Actually, vdo_3526-4ef8.sys is part of a rootkit. When this driver is loaded, it hooks/manipulates some Kernel mode functions. By this, it becomes "invisible" to normal AV programs. You have to use Anti-Rootkit tools to remove this rootkit. You may use F-Secure BlackLight ( ) or AVG Anti-Rootkit ( ) to remove the rootkit easily.

2:00 AM  

Post a Comment

<< Home