Home / malware Rootkit:W32/Agent.UG
First posted on 24 September 2008.
Source: SecurityHomeAliases :
There are no other names known for Rootkit:W32/Agent.UG.
Explanation :
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.
right]This rootkit will execute on the following operating systems:
- Windows 2000
- Windows XP
- Windows 2003
- Windows Vista
- Windows Vista SP1
It removes the hooked addresses corresponding to the following NT Functions (which are implemented in Ntoskrnl.exe), then restores them to their original values:
- NtProtectVirtualMemory
- NtOpenThread
- NtTerminateThread
- NtCreatePort
- NtConnectPort
- NtCreateKey
- NtAdjustPrivilegesToken
- NtCreateFile
- NtWriteVirtualMemory
- NtOpenProcess
- NtCreateProcess
- NtCreateProcessEx
- NtCreateSection
- NtCreateThread
- NtDeleteKey
- NtDeleteValueKey
- NtDuplicateObject
- NtEnumerateKey
- NtEnumerateValueKey
- NtLoadDriver
- NtLoadKey
- NtLoadKey2
- NtNotifyChangeKey
- NtOpenFile
- NtOpenKey
- NtOpenSection
- NtQueryKey
- NtQueryMultipleValueKey
- NtQueryValueKey
- NtReplaceKey
- NtRestoreKey
- NtResumeThread
- NtSaveKey
- NtSetContextThread
- NtSetInformationFile
- NtSetInformationKey
- NtSetSystemInformation
- NtSetValueKey
- NtSuspendThread
- NtSystemDebugControl
- NtTerminateProcess
Last update 24 September 2008