Removed: yrjuug.sys
Malware: C:\sand-box\load.exe
Removed: C:\WINDOWS\system32\drivers\yrjuug.sys
—————————————————————————————————————————-
Classification:
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| F-Secure | 9.0.15370.0 | 2010.02.03 | - |
| Kaspersky | 7.0.0.125 | 2010.02.04 | Trojan-Dropper.Win32.Agent.bloh |
| McAfee | 5881 | 2010.02.03 | W32/Koobface.worm.gen.ae |
| Microsoft | 1.5406 | 2010.02.03 | - |
| NOD32 | 4833 | 2010.02.03 | Win32/Rootkit.Agent.NIA |
—————————————————————————————————————————-
Additional information
File size: 53248 bytes
MD5 : b4ff6bcf2688f2ade5aa38b7c377b2ad
SHA1 : e629e8a0a5d572c8e931ce2a81a93f44cbef1407
SHA256: ecbebf46b9dd3acd689f037c86b51d1d90bb5dd268af4c098f00389eb75aab7b
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:
———————————-
Keys added:4
———————————-
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\Security
———————————-
Values added:15
———————————-
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000\Service: “gclzvelrrr”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000\Legacy: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000\ConfigFlags: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000\Class: “LegacyDriver”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000\DeviceDesc: “gclzvelrrr”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\0000\Capabilities: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GCLZVELRRR\NextInstance: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\Type: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\Start: 0×00000002
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\ErrorControl: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\ImagePath: “\??\C:\WINDOWS\system32\drivers\yrjuug.sys”
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\DisplayName: “gclzvelrrr”
HKLM\SYSTEM\CurrentControlSet\Services\gclzvelrrr\RulesData: 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 00 5C 00 52 00 45 00 47 00 49 00 53 00 54 00 52 00 59 00 5C 00 4D 00 41 00 43 00 48 00 49 00 4E 00 45 00 5C 00 53 00 59 00 53 00 54 00 45 00 4D 00 5C 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 53 00 65 00 74 00 30 00 30 00 31 00 5C 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 5C 00 67 00 63 00 6C 00 7A 00 76 00 65 00 6C 00 72 00 72 00 72 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00 5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00 48 00 61 00 72 00 64 00 64 00 69 00 73 00 6B 00 56 00 6F 00 6C 00 75 00 6D 00 65 00 31 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 64 00 72 00 69 00 76 00 65 00 72 00 73 00 5C 00 79 00 72 00 6A 00 75 00 75 00 67 00 2E 00 73 00 79 00 73 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00 48 00 61 00 72 00 64 00 64 00 69 00 73 00 6B 00 56 00 6F 00 6C 00 75 00 6D 00 65 00 31 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 64 00 72 00 69 00 76 00 65 00 72 00 73 00 5C 00 73 00 74 00 72 00 2E 00 73 00 79 00 73 00 00 00
———————————-
Values modified:2
———————————-
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000000
———————————-
Files added:2
———————————-
C:\WINDOWS\system32\drivers\str.sys
C:\WINDOWS\system32\drivers\yrjuug.sys
———————————-
Files deleted:1
———————————-
C:\sand-box\load.exe
———————————-
Total changes:24
———————————-
—————————————————————————————————————————-
Detected by UnHackMe:
- none -
After first reboot detected by UnHackMe:
Item Name: gclzvelrrr
Author:
Related File: \??\C:\WINDOWS\system32\drivers\yrjuug.sys
Type: Services detected by Partizan
Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Comments
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
- Remember: the best way to remove rootkits is from the outside!
