"Fuzzy Rootkit"

[jp18]

Checking if anyone out there can advise if this rootkit is able to be detected and remediated with MBAM. We're using MBAM 1.80.2 via Automate/Labtech on the latest database version.
Below is info found out by our partner MSP.

Trojan.GenericKD.32968937 

 

Hitman pro log:   Fuzzy  . . . . . . : 23.0

         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.

         Uses the Windows Registry to run each time the user logs on.

         Program starts automatically without user intervention.

         Time indicates that the file appeared recently on this computer.

         The file is in use by one or more active processes.

         Starts automatically as a service during system bootup.

         Program is code signed with a valid Authenticode certificate.

[AdvancedSetup]

Hello @jp18

I have requested someone from Research to review this for you. Someone should respond by tomorrow morning

Thank you

 

[exile360]

I am not a member of Research, however I do know from experience that the terms 'Generic' and 'Fuzzy', both of which are used to describe this detection and the signature that hit it, are heuristic types of detections which may be more prone to false positives than a more targeted signature type.  I have no idea if this specific detection was a legitimate rootkit or a false positive, however I am fairly certain that without a copy of the object that was detected, Research will not be able to determine whether or not Malwarebytes is capable of detecting the same rootkit (again, assuming it is an actual rootkit and not a false positive due to the fuzzy/generic/heuristic signature).

[exile360]

You may find the information here as well as here to be informative as references for what I am attempting to describe above.

[AdvancedSetup]

Hello @jp18

Do you have the actual file involved in this detection?

This name appears to be from F-Secure

https://www.f-secure.com/v-descs/trojan_w32_generickd_3016333.shtml

 

[jp18]

Thank you both for the replies - in this case, I do not have the infected file, only the description from a Bitdefender scan. I see how it can be generic, thankfully we haven't had cases of this for our systems, but will continue to be on the look out and post additional information here when possible.

[AdvancedSetup]

Ever changing threat scope. Make sure all computers are protected, and continue user education. One bad system can often wreak havoc.

Perhaps not something to make large scale changes in a business environment but for general knowledge we do have the following post geared for home users.

Tips to help protect from infection

 

 

 

[exile360]

Bitdefender should still have a copy of the file in quarantine assuming it was not deleted.  If you have access to the machine you should be able to restore the file from quarantine and then ZIP it and post it here for analysis.  In fact, if Bitdefender offers the option as some AVs do, you can possibly restore the file to a location of your choosing so that you can simply restore it to somewhere like a folder on the desktop to make it easier to find for attaching.  I do not know if Bitdefender offers such an option though, so you may need to restore it to its original location and grab it from there.