MAPKOBKA^^
05.12.2007, 00:16
A small Trojan program, designed for fighting against Antivirus, Firewall and Anti-malware utilities. The size of the executable file is about 5KB. If it is run, it silently performs the following actions:
1. Creates the driver C:\WINDOWS\system32\unpr.sys, file size 2.5KB (This file is stored in the body of the Trojan)
2. Registers the driver through the standard API, under the name of UNPR, after which it shuts down the computer.
The Trojan does not load the installed driver, which is why it's loading will commence only after rebooting the computer. The driver implements tracking of the loading [of processes] without intercepting functions, with the help of the documented notification mechanism on loading PE files into memory (LoadImageNotifyRoutine). After receiving notice about the launching of a process, the driver compares the name of the process being launched to its database of names, which are stored in the driver (there are two databases in the driver- database of EXE file names and database of driver names)
If it finds a match, the driver opens the process and terminates it.
The Trojan blocks/terminates processes with the following names:
avp.exe avpm.exe avz.exe bdmcon.exe bdss.exe ccapp.exe ccevtmgr.exe cclaw.exe ccpxysvc.exe fsav32.exe fsbl.exe fsm32.exe gcasserv.exe iao.exe icmon.exe inetupd.exe issvc.exe kav.exe kavss.exe kavsvc.exe klswd.exe livesrv.exe mcshield.exe msssrv.exe nod32krn.exe nod32ra.exe pavfnsvr.exe rtvscan.exe savscan.exe zclient.exe
As you can see, an entry exists for avz.exe in the Trojan database, which leads to the blocking of it's launch. To protect against this is simple- The process is identified by name, so to get around this and allow the file to execute, it is enough to rename the file, giving it a random name, such as 123.exe. For the deletion of the Trojan driver, it is possible to execute a script similar to the one below in AVZ:
begin
DeleteService('UNPR', true);
RebootWindows(true);
end.
<<Translation by MAPKOBKA^^ from original by Oleg Zaitsev located here: http://virusinfo.info/showthread.php?t=14734>>
1. Creates the driver C:\WINDOWS\system32\unpr.sys, file size 2.5KB (This file is stored in the body of the Trojan)
2. Registers the driver through the standard API, under the name of UNPR, after which it shuts down the computer.
The Trojan does not load the installed driver, which is why it's loading will commence only after rebooting the computer. The driver implements tracking of the loading [of processes] without intercepting functions, with the help of the documented notification mechanism on loading PE files into memory (LoadImageNotifyRoutine). After receiving notice about the launching of a process, the driver compares the name of the process being launched to its database of names, which are stored in the driver (there are two databases in the driver- database of EXE file names and database of driver names)
If it finds a match, the driver opens the process and terminates it.
The Trojan blocks/terminates processes with the following names:
avp.exe avpm.exe avz.exe bdmcon.exe bdss.exe ccapp.exe ccevtmgr.exe cclaw.exe ccpxysvc.exe fsav32.exe fsbl.exe fsm32.exe gcasserv.exe iao.exe icmon.exe inetupd.exe issvc.exe kav.exe kavss.exe kavsvc.exe klswd.exe livesrv.exe mcshield.exe msssrv.exe nod32krn.exe nod32ra.exe pavfnsvr.exe rtvscan.exe savscan.exe zclient.exe
As you can see, an entry exists for avz.exe in the Trojan database, which leads to the blocking of it's launch. To protect against this is simple- The process is identified by name, so to get around this and allow the file to execute, it is enough to rename the file, giving it a random name, such as 123.exe. For the deletion of the Trojan driver, it is possible to execute a script similar to the one below in AVZ:
begin
DeleteService('UNPR', true);
RebootWindows(true);
end.
<<Translation by MAPKOBKA^^ from original by Oleg Zaitsev located here: http://virusinfo.info/showthread.php?t=14734>>