McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Generic Rootkit.x

This page shows details and results of our analysis on the malware Generic Rootkit.x

Threat Detail

Malware Type: Trojan

Malware Sub-type: Rootkit

Discovery Date: 2009-02-27

Next Steps:

Overview

Rootkits are  programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Generic RootKit.x is one of the generic detections for such class of malicious programs.


Minimum DAT

5538 (2009-02-27)

Updated DAT

5761 (2009-10-04)

 Minimum Engine

5.2.00

File Length

Varies

 Description Added

2009-02-27

Description Modified

2009-03-03

Malware Proliferation

Characteristics

This detection, Generic RootKit.x, is for several specific trojan variants. So this description is meant as a general guide.

Rootkits are  programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Additionally, they make it harder to detect or remove the malware. This is one of the generic detections for such class of malicious programs.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection.

Exact details (filenames, Registry keys, file size) will vary between variants.

Typically, a Generic RootKit.x variant might install itself into the %systemdir%\drivers\ or %systemdir%, and register itself as a service and set to automatically run at startup.

The following functions are usually hooked to hide files and registry entries:

  • IofCallDriver
  • IofCompleteRequest
  • NtFlushInstructionCache
  • NtEnumerateKey
  • NtQueryValueKey

These hijacked functions are identified as Generic Rootkit.d!rootkit

The following hidden files are known to be dropped in the %WINDOWS%\system32 directory:

  • gaopdxcounter
  • gaopdx[random].dll  - detected as DNSChanger.r

(where %WINDOWS% is the Windows directory e.g. C:\Windows)

Usually creates the following hidden registry entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx  
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed  
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed avp.exe 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed klif.sys 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed mrt.exe 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed spybotsd.exe 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed sasdifsv.sys 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed saskutil.sys 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed sasenum.sys 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed szkg.sys 
  • HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx\disallowed szserver.exe 

Some variants also disables the systems firewall by setting the following registry entry:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\enablefirewall: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\enablefirewall: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\publicprofile\enablefirewall: 0x00000000

 

Symptoms

Unfortunately, the whole purpose of rootkit programs is to hide the symptoms of malicious activity. They can potentially hide running processes, files, registry keys, network activity etc. A specific rootkit variant may not be "perfect", in the sense that it may have some symptoms (files, registry entries, proceses, network activity) that it does not hide for which it may be accounted for.

General symptoms for this Generic RootKit.x detection can be things such as:

  • Reduced system performance but the task manager showing no processes with high utilization
  • Increased disk space usage without evidence of the files to account for it

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

These rootkit programs may also be dropped by other trojans, viruses and worms.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

United States - English