Re: It's a rootkit?



David H. Lipman wrote:
From: "Cristiano" <cristiano.pi@xxxxxxxxxx>

Kernel Detective
http://www.at4re.com/news.php
found some modifications in the XP's kernel file ntoskrnl.exe
(showed in the tab "Kernel Modifications").
Does anybody know whether they are legitimate?

Thanks
Cristiano


You said...
"Does anybody know whether they are legitimate?"

What is/are "they" ? You didn't post any substantiating information.

"some modifications in the XP's kernel file ntoskrnl.exe":

Address: 0x804DCB22
Location: ntoskrnl.exe [.text]
Len: 18
State: Code Modification
Current Value: E0 25 7F FF FF FF 0F 22 E0 0D 80 00 00 00 0F 22 E0 C3
Original Value: D8 0F 22 D8 C3 0F 20 E0 25 7F FF FF FF 0F 22 E0 0D 80
Distination Module: -


Address: 0x804DCB3A
Location: ntoskrnl.exe [.text]
Len: 1
State: Code Modification
Current Value: 00
Original Value: C3
Distination Module: -


Address: 0x804DDA9D
Location: ntoskrnl.exe [.text]
Len: 1
State: Code Modification
Current Value: 06
Original Value: 05
Distination Module: -


Address: 0x804E5511
Location: ntoskrnl.exe [.text]::RtlPrefetchMemoryNonTemporal
Len: 1
State: Code Modification
Current Value: 90
Original Value: C3
Distination Module: -


I suggest you execute Gmer and see what it reports.

No red lines, but there is something:

GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-06 13:20:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF74F2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF74F3340]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89B971E8
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)

---- EOF - GMER 1.0.15 ----

The modifications to the file wpsdrvnt.sys should be legitimate because I
have Sygate firewall.

Cristiano


.