Information about the RookIE Trojan
The following is information about the latest variant of the trojan/malware labled RookIE by Snort IDS.


What we have learned so far is that RookIE and the associated malware will copy itself to any media mounted on the infected system. On my test system it created the following files:
  1. autorun.inf
  2. d9c.bat which is executed by autorun.inf
  3. l6w2eaih.exe
This enables it to reinfect a cleaned computer as well as automatically infect any system which has autorun enabled upon mounting of the drive if the user mounting the drive is logged in with a privileged account. It apparently has no effect when a drive is mounted via an unprivileged account.


I've determined there are at least two ways to detect if this version of the RookIE trojan is infecting a system, once rooted antivirus is useless.
  1. What really gives it away is the fact the RookIE rootkit will keep reselecting the "Hide protected operating system files radio button" in Tools > Folder Options > View after you have deselected it and closed the windows
  2. Also, immediately on install of this variant of the RookIE rookit via autorun, the trojan will attempt to contact on port 80 though this appears unique per install as it contacts other hosts on other infected systems
The RookIE rootkit made the following changes on my test system:


Added to system
  1. C:\autorun.inf
  2. C:\d9c.bat
  3. C:\WINDOWS\System32 mdfgds0.dll
  4. C:\WINDOWS\System32\olhrwef.exe
It modified
  1. C:\WINDOWS\System32\drivers\cdaudio.sys (The write time for this file)
It added
  1. C:\WINDOWS\System32\dllcache\cdaudio.sys
Registry Modifications include
  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|cdoosoft
  2. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
  3. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security
  4. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security|Security
  5. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|Type
  6. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|DisplayName
  7. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|ErrorControl
  8. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|Start
  9. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum
  10. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|Count
  11. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|NextInstance
  12. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|INITSTARTFAILED
  13. Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|ImagePath
  14. Modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum|Count
  15. Modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum|NextInstance
Here is a ThreatExpert analysis as well, obviously the file and exe names created may be unique per system


As always, using a nonprivileged account will prevent infection by the RookIE malware suite. !Admin!

Links To Info

Linux Stuff


Win Security Tips


Rip Vinyl To MP3


DHTML Tips powered by