Re: hacktool.rootkit HELP

From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 10/23/05 

Date: Sun, 23 Oct 2005 20:06:21 +0200

On Sat, 22 Oct 2005 09:55:49 -0500, "Stephen V."
>Shawn E. Hale wrote:

>> Sorry if it is too long but I figure more info is better than less.
True.

>> Dell laptop XP Home SP2 and all updates. Norton Antivirus 2005
>> installed and set for automatic updates ... also real time scanning.

OK

>> 2 weeks ago (10/3/05) my daughter was using AOL IM when someone
>> inadvertently sent her a link which she followed and ran.

Er... she received a link, yes, but it could just as well have been
sent "intentionally" by a bot.
>> Immediately all of her buddies on IM got the same link
>> Norton Antivirus reported the following:

>> Auto-Protect, Hacktool.rootkit, Access Denied. Source:
>> c:\windows\system32\msdirectx.sys
>> Auto-Protect, Hacktool.rootkit, Repair failed. Source:
>> c:\windows\system32\msdirectx.sys

Nice that it saw it, no surprise that it couldn't fix it.

>> I did some research and deleted all references in the registry, and all
>> files relative to, lock1.exe, xz.bat, and msdirectx.sys (although that
>> particular file was not found).

If the root kit's running, as it's almost certain to be if you are
running the infected OS installation, then it may hide itself; it's
(one of) what rootkits do.

>> Virus scanner, Hacktool.rootkit, Quarantined file, Virus Source:
>> C:\windows\system32\svkp.sys. (A related registry key was also removed).
>> The virus definitions date that found this problem was 10/19/05.

Yep.

>> In the original Norton message about msdirectx, what does it actually mean
>> "repair failed" and "access denied." Is that a good thing that Norton
>> stopped it or is it a bad thing that Norton didn't catch it in time?

Both. Once malware is active (running) it has the potential to smack
down any defenses that try to run after it. The IT industry has
counted on malware authors being to useless to exploit that potential,
and are in the process of becoming unluckier and unluckier.

There are three ways to look for "root kits" (which is just a fancy
term for "malware that makes use of opportunities to hide things"):
  - formal scanning of static files and settings
  - informal checking for anomalous behavior
  - comparison of formal and informal reportage

The first would always be my starting point. Find out (or find
someone who knows) how to use a maintenance OS such as Bart's bootable
CDR and tools from that platform, and do today what you'd have done
from a DOS mode boot diskette in the days of Win9x; note that the CDR
you build should be built on a clean PC, not yours. By not running
any code from the infected system, the malware is not active and can
no longer hide. This is "formal" scanning.

The second approach is to use tools designed to test for "live"
rootkit behavior, typically by looking for the same information in
different ways, and detecting differences in results. Such tools
should be run from the midst of the infected PC, i.e. informally.

The third approach is to do tests that should return the same results
when compared, but may not if there's a rootkit altering the behavior
of the infected OS. MS provides no maintenance OS for XP, so you'd
either have to do the Bart thing, or hope the rootkit is dumb enough
not to integrate itself into Safe Mode and use that as your "clean"
point of reference for comparison.

>> Would I be correct in assuming that the new virus definitions downloaded on
>> 10/19 simply found a remnant of the original hacktool.rootkit and scrubbed
>> it out OR is this thing still in my system and somehow regenerating itself?

That's the question, and I would not assume the latter, though it's
possible. It's more likely you are still "owned".

>> If it is regenerating itself, should I really be too concerned or is it more
>> of an annoyance? We have the XP firewall running and WEP encryption on our
>> home wifi network.

I'd worry, and fix it. WEP is weak and exploitable, so another
possibility is that an intruder can simply drop whatever malware they
like on your system "live" through your wireless network - or hack you
directly without leaving any code presence at all.

Personally, I prefer the hard scope of wires and walls.

>> I don't want to go thru the process of re-formatting and re-installing

Sure - if only because that doesn't exclude being hacked all over
again, if you have been "acquired" as a target.

>> I am looking for confirmation of my suspicion that the new anti-virus
>> definitions took out a remnant/orphan of the original problem and
>> that since I am having no other problems (before or now after), I am OK.
>> Am I just wishful thinking?
 
Yup. Get thee to a Bart-wielder and check this out properly, by
running multiple scanners (mine can host F-Prot, McAfee, Trend
SysClean, Stinger, AntiVir 6, Spybot and AdAware, and they all find
something the others missed on a rampantly-infected PC) then saving
logs from integration checking tools such as HiJackThis.

Then I find and rename away the following locations...
  - Temp
  - Temporary Internet Files
  - Downloaded Program Files
  - (other stuff, but that's a judgement call)
...before repeating my SysClean, Spybot and AdAware scans from Safe
Mode Command Only, then Windows "normal mode". Pay attention to your
System Restore, too, as that can restore an infected state; my policy
is to clear SR once I know the PC is OK and then immediately create a
new restore point as a clean baseline.

While all this is going on, keep ALL PCs offline, disconnected from
each other, with WiFi completely disabled. Before reconnecting any of
that stuff, check firewalls and change passwords to harder ones.

There are other steps you may need to do (e.g. check ADS - hopefully
your av scanners will do this automatically), but let's keep it simple
for now. Some web forums that accept HiJackThis logs for comment.

>--------------- ---- --- -- - - - -
   I'm baaaack!
>--------------- ---- --- -- - - - -