Jump to content
e-tech

uti4ndk2.sys (Rootkit.Bagle)

Recommended Posts

Hello <_<

Got this log today

Malwarebytes' Anti-Malware 1.34

Database version: 1794

Windows 5.1.2600 Service Pack 3

22-02-2009 21:22:44

mbam-log-2009-02-22 (21-22-44).txt

Skan type: Fuldst

Share this post


Link to post
Share on other sites

Done <_<

http://www.malwarebytes.org/forums/index.p...ost&p=58828

Yes, it certainly looks like random file name and MD5 shows that it could be something, but my research shows this http://www.malwarebytes.org/forums/index.php?showtopic=9869 where the way the file is named is similar along with the type of the threat and producers name. :angry:

Here's the log too. I've only restored the file, but please let me know if there's anything else I can do. :)

Malwarebytes' Anti-Malware 1.34

Database version: 1794

Windows 5.1.2600 Service Pack 3

2009-02-22 23:51:04

mbam-log-2009-02-22 (23-51-04).txt

Skan type: Fuldst

Share this post


Link to post
Share on other sites

Hi, this is indeed a driver from the AVZ tool (got the uploaded file). AVZ is an antivirus recently bought by Kaspersky.

AVZ antivirus uses this driver with random name (file and service keys). Bagle's coder added this driver to the infection, in order to kill antivirus processes.

srosa.sys was the first driver, and then came srosa2.sys (first avz variant), in november, with driver sK9Ou0s. Alone, the file is not harmful, but it has been part of bagle.

Share this post


Link to post
Share on other sites

Yes that is almost certainly it...it is (the avz driver) integrated with AVPTool tool in order to execute manual cure and is randomnised to bypass malware.

Share this post


Link to post
Share on other sites

The problem is that this specific file is now flagged as Bagle by a lot of tools :

http://www.virustotal.com/analisis/a80a083...0f44d4184180e00

And the file itself is not Bagle, it is a bit more complicated.

The same file can be good, when used by AVPtool (legit), and evil if bagle is using it (that renamed copy) : context - bagle or avptool - invalidates a simple "infected or not" status.

Share this post


Link to post
Share on other sites

I have seen this a few times , it is beyond me that these drivers are not dramatically changed to avoid malware vs. legit collisions . In all of these cases delisting=helping the bad guys .

Share this post


Link to post
Share on other sites
Hi, this is indeed a driver from the AVZ tool (got the uploaded file). AVZ is an antivirus recently bought by Kaspersky.

AVZ antivirus uses this driver with random name (file and service keys). Bagle's coder added this driver to the infection, in order to kill antivirus processes.

srosa.sys was the first driver, and then came srosa2.sys (first avz variant), in november, with driver sK9Ou0s. Alone, the file is not harmful, but it has been part of bagle.

Thanks for the info.

The driver was targeted because it was installed with Bagle(srosa2.sys).

Mindyou not the first time i seen similar to this before with Partizan driver(UnHackMe)being used by ITW malware:(

Share this post


Link to post
Share on other sites

Ran a several other cleaning tools and they came up with the clean logs, so this file is alone or at least one of the most famous malwarefighting tools would came up with something, maybe some other files, registry or services. <_<

Share this post


Link to post
Share on other sites

I mean to be honest there shouldn't really be a problem because AVPTool/avz is used as a standalone tool and isn't resident so there will not be any lasting damage from leaving it detected.... I think the arrangment for the avz integrated into the Kaspersky home user products is different so they will not get flagged.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.