• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Rootkit › Found Mailbot family that use ADS hidden streams to hide themselves

Found Mailbot family that use ADS hidden streams to hide themselves

Myantispyware team June 23, 2006     No Comment    

F-Secure reported Mailbot family that use hidden streams to hide themselves.

Let’s take Mailbot.AZ(aka Rustock.A) as an example.

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named “services.exe”. The payload is a Spamtool with backdoor capabilities.

There’s only a single component lying on the disk, and that is a kernel-mode driver. It’s stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that’s not readily visible, it’s very likely that many security products will have a tough time dealing with this one.

F-Secure have just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.

To remove the infection, perform the following steps:

  • Reboot your system using the Windows Recovery Console (using your Windows installation CD – click on the hyperlink for details).
  • Copy a non-executable file from the Windows directory over the Alternate Data Stream.

For example, run the following command:

  • copy c:\windows\win.ini c:\windows\system32:18467

Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.

Rootkit

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

default-search.net redirects
How to get rid of Default-search.net redirect from Chrome, Firefox, IE, Edge
Clean Up Your Windows PC After Surfing The Web scam
Clean Up Your Windows PC After Surfing The Web POP-UP SCAM (Virus removal guide)
Redtechportal.com scam
Redtechportal.com pop-up scam (Virus removal guide)
Aztec Media Yahoo Search results
How to get rid of Aztec Media Yahoo Search from Chrome, Firefox, IE, Edge
haxbyq.com scam
How to remove Haxbyq.com pop-ups (Virus removal guide)

Follow Us

Search

Useful Guides

Tech Support Scam
Remove Tech Support Scam pop-up virus [Microsoft & Apple Scam]
ads by adware
How to remove Adware from Windows 10 (Virus removal guide)
DNSChanger
How to remove DNSChanger malware virus [Updated Apr. 2018]
How to remove browser hijacker virus (Chrome, Firefox, IE, Edge)
This setting is enforced by your administrator (Removal guide)

Recent Posts

New worm disables Security Software
Another rogue antispyware app for your blacklist – Trust Cleaner
Found new vulnerability in Microsoft Excel
Update your systems
CleanCache – Clean Internet Explorer, Mozilla, Firefox, Opera and most Internet Explorer shells

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2022 Myantispyware.com - Free antispyware programs and Spyware Removal Instructions.