Gregoryg.net Information about the RookIE Trojan
The following is information about the latest variant of the trojan/malware labled RookIE by Snort IDS.
What we have learned so far is that RookIE and the associated malware will copy itself to any media mounted on the infected system. On my test system it created the following files:
This enables it to reinfect a cleaned computer as well as automatically infect any system which has autorun enabled upon mounting of the drive if the user mounting the drive is logged in with a privileged account. It apparently has no effect when a drive is mounted via an unprivileged account.
- d9c.bat which is executed by autorun.inf
I've determined there are at least two ways to detect if this version of the RookIE trojan is infecting a system, once rooted antivirus is useless.
The RookIE rootkit made the following changes on my test system:
- What really gives it away is the fact the RookIE rootkit will keep reselecting the "Hide protected operating system files radio button" in Tools > Folder Options > View after you have deselected it and closed the windows
- Also, immediately on install of this variant of the RookIE rookit via autorun, the trojan will attempt to contact 18.104.22.168 on port 80 though this appears unique per install as it contacts other hosts on other infected systems
Added to system
- C:\WINDOWS\System32\drivers\cdaudio.sys (The write time for this file)
Registry Modifications include
Here is a ThreatExpert analysis as well, obviously the file and exe names created may be unique per system
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Security|Security
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|Type
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|DisplayName
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|ErrorControl
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|Start
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|Count
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|NextInstance
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys\Enum|INITSTARTFAILED
- Added HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AVPsys|ImagePath
- Modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum|Count
- Modified HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum|NextInstance
As always, using a nonprivileged account will prevent infection by the RookIE malware suite. !Admin!
Links To Info