what is a rootkit virus ?

[MushroomNZ]

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?

 

[Good Guy]

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?

<http://en.wikipedia.org/wiki/Rootkit>

 

[Paul]

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?

http://en.wikipedia.org/wiki/TDSS

"it first hijacks the print spooler service (spoolsv.exe)
to write a filesystem at the end of the disk; it then
infects low level system drivers such as those responsible
for PATA operations (atapi.sys) to implement its rootkit."

When you modify system files, you can make it so things can be
hidden from view (not seen in the file manager).

What can't be hidden, is when the network light is blinking
on your networking equipment, when you're not doing anything.
If your network setup is normally fairly quiet, the presence
of extra network traffic is easy to view via the blinking
network lights.

The "root" in rootkit, means running in Ring0. The atapi.sys
file runs in Ring0, because it's a driver. The kernel and drivers
live in Ring0, and Ring0 is a higher privilege level than
Ring3 (where applications run).

http://en.wikipedia.org/wiki/Rootkit

"Once installed it becomes possible to hide the intrusion
as well as to maintain privileged access."

HTH,
Paul

 

[philo]

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?

A rootkit is a nasty one. It can even hide in the "system restore" folder.

If you do any banking or credit card transactions on-line your
account(s) can be compromised.
Watch your credit card and banking statements closely.

 

[...winston]

http://www.bleepingcomputer.com/virus-removal/rootkits

http://www.bleepingcomputer.com/startups/rootkit.html

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
"Thankfully, Kaspersky Labs has released a tool called TDSSKiller that can be used to remove most variants of TDSS from your
computer.
****We do, though, need to perform some steps in order to get the program to work.***
These steps are described in the removal guide below."

--
....winston
msft mvp mail


"MushroomNZ" wrote in message
got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?

 

[Dave-UK]

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?

What were the details provided by the Kaspersky software
that told you you had an infection ?
That would tell you where this rootkit was.

 

[Ken Blake]

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?

See the other replies you've gotten, and also note that it's a
rootkit, not a rootkit virus. A rootkit and a virus are two different
kinds of malware.

 

[MushroomNZ]

the credit card data isnt on the PC
i guess u mean they use keyloggers ?

Kaspersky proram said it was Pihar.C

saw 15 extra Svchost connections.
may have just been a botnet ?

 

[Gene E. Bloch]

saw 15 extra Svchost connections.
may have just been a botnet ?

Do mean 16 instead of 1, or do you mean 15 more than you usually see?

There are normally many svchost processes running - it's a service used
by programs to run themselves. That's simplified, mostly because I don't
understand it 100%

Example - I just looked in Process Explorer. I've got 11 svchost
instantiations at this moment.

 

[J. P. Gilliver (John)]

Do mean 16 instead of 1, or do you mean 15 more than you usually see?

There are normally many svchost processes running - it's a service used
by programs to run themselves. That's simplified, mostly because I don't
understand it 100%

Example - I just looked in Process Explorer. I've got 11 svchost
instantiations at this moment.

If they're sub-OS, will they (things due to a rootkit I mean) even show
up in Process Explorer?

 

[Gene E. Bloch]

If they're sub-OS, will they (things due to a rootkit I mean) even show
up in Process Explorer?

That's an excellent question, but sadly, I am completely unqualified to
answer it.

So I'll answer it: it varies with the rootkit.

Feel free to disbelieve the above reply

 

[Brian Gregory [UK]]

See the other replies you've gotten, and also note that it's a
rootkit, not a rootkit virus. A rootkit and a virus are two different
kinds of malware.

I don't see why one piece of malware couldn't be both a rootkit and a virus.

 

[Ken Blake]

I don't see why one piece of malware couldn't be both a rootkit and a virus.

He used the word "rootkit" as an adjective, modifying the noun
"virus," as if a rootkit was a kind of virus. It is not.

 

[Boscoe]

He used the word "rootkit" as an adjective, modifying the noun
"virus," as if a rootkit was a kind of virus. It is not.

Why is a set of tools, used by virus writers, to create a stealthy
container or wrapper for concealing malicious software, not a virus, then?

 

[Chris S.]

Why is a set of tools, used by virus writers, to create a stealthy
container or wrapper for concealing malicious software, not a virus, then?

Virus. Replicates, like a physical virus?

Chris

 

[Boscoe]

On Sun, 14 Oct 2012 22:07:15 +0100, "Brian Gregory [UK]"

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?



See the other replies you've gotten, and also note that it's a
rootkit, not a rootkit virus. A rootkit and a virus are two different
kinds of malware.

I don't see why one piece of malware couldn't be both a rootkit and
a virus.


He used the word "rootkit" as an adjective, modifying the noun
"virus," as if a rootkit was a kind of virus. It is not.

Why is a set of tools, used by virus writers, to create a stealthy
container or wrapper for concealing malicious software, not a virus,
then?

Virus. Replicates, like a physical virus?

Chris

I see, like the flu which contains the virus?

 

[Artreid]

HOW DOES ONE REMOVE IT SUCH A VIRUS?

 

[MushroomNZ]

use a Kaspersky program TSS something

when i killed the bad SVChost , 15 connections dropped.

it rebooted my machine.
Wonder if this was the first thing it did

 

[Steve Hayes]

Why is a set of tools, used by virus writers, to create a stealthy
container or wrapper for concealing malicious software, not a virus, then?

The word "virus" describes how malware is spread, not what it does or how it
is written. I would imagine that some rootkits could be viruses, others could
be trojans. Trojans are malware programs installed on your comnputer along
with some other software.

 

[Ken Blake]

On Sun, 14 Oct 2012 22:07:15 +0100, "Brian Gregory [UK]"

got hit by one of those
had to use a Kaspersky program to get rid of it on the disk

it wasnt in the windows startup autoruns.

is it in the regsitry somewhere
or in part of the drive when the PC boots ?



See the other replies you've gotten, and also note that it's a
rootkit, not a rootkit virus. A rootkit and a virus are two different
kinds of malware.

I don't see why one piece of malware couldn't be both a rootkit and a virus.


He used the word "rootkit" as an adjective, modifying the noun
"virus," as if a rootkit was a kind of virus. It is not.

Why is a set of tools, used by virus writers, to create a stealthy
container or wrapper for concealing malicious software, not a virus, then?

The word "virus" describes how malware is spread,

Actually what it describes is how *software* is written. It is just
self-replicating code. Technically a program doesn't even have to be
malware to be a virus.

However for all practical purposes, all viruses are malware, and the
technical definition (self-replicating code) is hardly ever used these
days. A virus is just a particular kind of malware.

not what it does or how it
is written. I would imagine that some rootkits could be viruses, others could
be trojans.

Maybe, but nevertheless, I'm sure that he thought all rootkits were
viruses because he didn't really understand what either word meant,
and I was trying to help him understand. My point was that calling a
rootkit a "rootkit virus," as if all rootkits were virus, is simply
wrong.