McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

NTRootKit-AB

This page shows details and results of our analysis on the malware NTRootKit-AB

Threat Detail

Malware Type: Trojan

Malware Sub-type: Malware Tool

Discovery Date: 2008-04-22

Next Steps:

Overview

NTRootkit-AB is a .SYS file that installs as a device driver that attempts to terminate Anti-Virus processes.

The Rootkit is primarily dropped by W32/Sality.ae parasite file infector.

W32/Sality.ae VIL description is here:

http://vil.nai.com/vil/content/v_144417.htm

 

 

 

 

 


Minimum DAT

5279 (2008-04-22)

Updated DAT

5384 (2008-09-15)

 Minimum Engine

5.2.00

File Length

N/A

 Description Added

2008-04-22

Description Modified

2009-02-16

Malware Proliferation

Characteristics

Installs as device driver.

Random filename, *.sys, dropped into c:\windows\system32\drivers\ 

Pretends to be either WMI or IP filtering related in device driver description.

Deletes itself after successfully loading.

 

Symptoms

AV software terminating and unable to be restarted. Attacks many leading AV solutions including those from:

McAfee

Microsoft

Kaspersky

BitDefender

F-Secure

 

 

Method of Infection

Dropped by W32/Sality.ae

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

United States - English