Rootkit.Win64.Banker.a
From Total Malware Info
|
Rootkit.Win64.Banker.a
|
|
|
Last edited: |
9.7.2011 |
The malicious program is designed to remove components of security software Gbuster plugin for Internet Explorer. It is implemented as a kernel driver NT (kernel mode driver). It works under a 64-bit versions of Windows OS. Its size is 25,600 bytes.
Installation
The executable file of the malicious program is located in Windows drivers folder:
%Windir%\SysWOW64\drivers\plusdriver64.sys
The service named "driverusbplus" provides the automatic startup of the rootkit driver every time you start the system.
Also the rootkit installer disables the verification of digital signatures for kernel-mode modules in the current startup configuration by executing the following command:
bcdedit.exe-set loadoptions DDISABLE_INTEGRITY_CHECKS
In addition, it enables the mode allowing booting drivers signed with a test certificates by performing the following command:
bcdedit.exe-set TESTSIGNING ON
Thus the rootkit evades the validation of kernel-mode drivers digital signatures.
Payload
Once launched, the rootkit tries to delete the following files:
\Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbiehAbn.dll \Device\Harddisk0\Partition2\Program Files\GbPlugin\gbiehAbn.dll \Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\gbiehAbn.dll \Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\abn.gpc \Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\abn.gpc \Device\Harddisk0\Partition2\Program Files\GbPlugin\abn.gpc \Device\Harddisk0\Partition2\windows\Downloaded Program Files\ABN.inf \Device\Harddisk0\Partition2\windows\Downloaded Program Files\ABN.gpc \Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbiehabn.dll \Device\Harddisk0\Partition2\windows\Downloaded Program Files\GbPluginABN.inf \Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbpdist.dll \Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbiehAbn.dll \Device\Harddisk0\Partition2\windows\system32\drivers\gbpkm.sys \Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbieh.gmd \Device\Harddisk0\Partition2\Program Files\GbPlugin\gbieh.gmd \Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\gbieh.gmd \Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\bb.gpc \Device\Harddisk0\Partition2\Program Files\GbPlugin\bb.gpc \Device\Harddisk0\Partition2\Program Files (x86)\bb.gpc \Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbieh.dll \Device\Harddisk0\Partition2\Program Files\GbPlugin\gbieh.dll \Device\Harddisk0\Partition2\Program Files (x86)\gbieh.dll \Device\Harddisk0\Partition2\windows\Downloaded Program Files\gbieh.gmd \Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\Sv.exe \Device\Harddisk0\Partition2\Program Files\GbPlugin\Sv.exe \Device\Harddisk0\Partition2\Program Files (x86)\GbPlugin\Sv.exe \Device\Harddisk0\Partition2\Arquivos de programas\GbPlugin\gbpdist.dll \Device\Harddisk0\Partition2\Program Files\GbPlugin\gbpdist.dll \Device\Harddisk0\Partition2\Program Files (x86)\gbpdist.dll
as well as the following registry keys:
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginAbn
\Registry\Machine\Software\Classes\CLSID\{2E3C3651-B19C-4DD9-A979-901EC3E930AF}
\Registry\Machine\Software\Classes\CLSID\{3F888695-9B41-4B29-9F44-6B560E464A16}
\Registry\Machine\Software\Classes\CLSID\{A3717295-941D-416F-9384-ED1736729F1C}
\Registry\Machine\Software\Classes\CLSID\{AF45043F-819C-47CC-9B37-94DBE50A6E63}
\Registry\Machine\Software\Classes\TypeLib\{04978612-A774-406D-AF1B-F44E2838D72A}
\Registry\Machine\Software\Classes\TypeLib\{9CA261C7-D518-4987-B434-10A1B243C8B8}
\Registry\Machine\Software\Classes\TypeLib\{AD764BE6-87A7-46A1-8C55-A712D079E749}
\Registry\Machine\System\CurrentControlSet\Services\GbpKm
\Registry\Machine\System\ControlSet001\Services\GbpKm
Also the rootkit adds the following strings:
216.155.133.236 www2.bancobrasil.com.br 216.155.133.237 aapj.bb.com.br 127.0.0.1 localhost Hosts doWindows Exemplo: 127.0.0.1 www.microsoft.com.br
to the file:
%System%\drivers\etc\hosts
Thus, it redirects users to the phishing sites when working with the Banco do Brasil bank's websites.
Removal Instructions
If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:
1. Delete the file:
%Windir%\SysWOW64\drivers\plusdriver64.sys
2. Remove the service named:
"Driverusbplus"
3. Restore the original contents of the file:
%System%\drivers\etc\hosts
This file usually contains the following text:
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost
4. Restore the boot options, running the following commands:
bcdedit/deletevalue loadoptions bcdedit.exe-set TESTSIGNING OFF
5. Perform a full system scan with an antivirus with updated databases.
You can order a description for any computer malware, virus, trojan or worm.
