Threat Information for "Trojan.NtRootKit.61"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: Trojan.NtRootKit.61
  • Aliases:
  • Date Discovered: 2006-11-10
  • Protection Added: 2006-11-13
Description Top 
-- Ease of Removal

1: Uses rootkit functionality
2: Creates new registry entries with consistent data
3: Consistent file contents
4: Consistently named
5: Runs as a service
6: Uses running processes

-- Privacy Risks/Security Changes

1: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Significantly slows down the computer
2: Creates new files
3: Downloads other threats

-- Propagation/Saturation

1: Infects from a link in an email
2: Infects from an email attachment
3: Installed by other infections
Technical Details Top
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\rdriv.sys
  • Added Directory/File:
    FilePath: %WINDIR%\*.* MD5: eb6f41b9b17158fa1b765aa9cb3f36a0
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\rdriv
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate Value: DoNotAllowXPSP2
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: UpdatesDisableNotify
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters Value: AutoShareWks
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters Value: AutoShareWks
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: AntiVirusOverride
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: AntiVirusDisableNotify
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters Value: AutoShareServer
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters Value: AutoShareServer
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: FirewallOverride
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: FirewallDisableNotify