Corscaria
2006-06-22, 09:04
i just removed what seems to be a rootkit from my system.
the rootkit is composed of 3 files
C:\Documents and Settings\<account>\Application Data\hidn\hidn.exe
C:\Documents and Settings\<account>\Application Data\hidn\hidn1.exe
C:\Documents and Settings\<account>\Application Data\hidn\m_hook.sys
no hits for hidn.exe or hidn1.exe on google
m_hook.sys however is listed as part of a rootkit with the files hidires.exe and hidires1.exe
obviously this is a new variant
this is how it seems to work, from the fight i just had with it:
m_hook.sys is the actual rootkit
hidn.exe deletes regedit, spybotsd.exe (and prevents creation on install), hides hidn1.exe from the tasklist, and makes it's folder invisible (even when hidden and system files are visible)
hidn1.exe hides hidn.exe from the tasklist and explorer
occassionally firefox psuedo-crashes (crash window, but keeps working 100% unless you click ok on the crash window), which i believe is the rootkit trying to contact home.
i have hidn.exe and m_hook.sys archived for analysis unfortuneately hidn1.exe was irreperably mangled while i ripped it from my system. I'll be sending what i have to trend micro (my fave virus/trojan/worm/etc scanner). If Safer Networking would like a copy to analyze PM me. I will only give this to people with moderator access, to prevent misuse.
If Spybot seems to fully install for you without problem, but wont execute, see if spybotsd.exe exists. if it doesn't this could be your problem.
the rootkit is composed of 3 files
C:\Documents and Settings\<account>\Application Data\hidn\hidn.exe
C:\Documents and Settings\<account>\Application Data\hidn\hidn1.exe
C:\Documents and Settings\<account>\Application Data\hidn\m_hook.sys
no hits for hidn.exe or hidn1.exe on google
m_hook.sys however is listed as part of a rootkit with the files hidires.exe and hidires1.exe
obviously this is a new variant
this is how it seems to work, from the fight i just had with it:
m_hook.sys is the actual rootkit
hidn.exe deletes regedit, spybotsd.exe (and prevents creation on install), hides hidn1.exe from the tasklist, and makes it's folder invisible (even when hidden and system files are visible)
hidn1.exe hides hidn.exe from the tasklist and explorer
occassionally firefox psuedo-crashes (crash window, but keeps working 100% unless you click ok on the crash window), which i believe is the rootkit trying to contact home.
i have hidn.exe and m_hook.sys archived for analysis unfortuneately hidn1.exe was irreperably mangled while i ripped it from my system. I'll be sending what i have to trend micro (my fave virus/trojan/worm/etc scanner). If Safer Networking would like a copy to analyze PM me. I will only give this to people with moderator access, to prevent misuse.
If Spybot seems to fully install for you without problem, but wont execute, see if spybotsd.exe exists. if it doesn't this could be your problem.