Well today I had my what I thought was my first root kit on the network. For those that don't know a root kit is a kind of virus that is able to hide itself from most normal detection. The virus can't be seen in Task Manger and the files that ran it can't be seen in Explorer or CMD. Rootkits also do much more than this, but that is some of the main points that allow it to hide.
Today I found what I thought was one of these on a desktop. I was able to find it by using Process Explorer from Sysinternals. There was a difference in the processes listed between Process Explorer and Task Manger. I attempted to look at the file but couldn't since it was invisible to normal file access.
I then tried to run another utility from Sysinternals called RootkitRevealer. It didn't find anything which I thought was odd. However at Mark Russinovich's talk at TechED he mentioned that the rootkit and makers and he are in a constant battle of one upmanship. At this point I swapped the machine out, which was going to happen soon anyway this just forced my hand.
After swapping machines I took the infected one to the tech offices to investigate further. I booted a BartPE disk so that I could get at the files. First I moved the one I knew about and then rebooted. Another file in a different location popped up as this point in its place and did the same thing. Next I went back into BartPE and removed both. After booting back into windows I found all the files also created at the same time and zipped them up. I scanned the files with our Norton and it reported nothing, also tried Ad-Aware and still nothing.
I sent a note to Mark Russinovich since I thought I had found a new variant that he wasn't detecting. He actually wrote me back in about an hour and asked for it. Just in case I sent it to my home account to see if it was going to be flagged as virus. It wasn't on the school server, but was on mine by one engine. It was the Kapersky engine. Which I had disabled at school since it was causing so many problems. I still sent it off to Mark just in case.
According to the results when it got flagged it is the Win32.QooLogic.N virus. The best description I have found is here. Apparently this family of viruses can perform limited root kit like behavior. I imagine it doesn't work well enough to be caught by RootKitRevealer since it only hides itself in very rudimentary ways.
Oh and while this was on the machine, basically any IE process hung and lots of other weird stuff was happening. I am going to reimage the machine just in case, since there is no way to know what all was done to the machine.
Leave a comment