It's a rootkit?

Kernel Detective

found some modifications in the XP's kernel file ntoskrnl.exe (showed in the
tab "Kernel Modifications").
Does anybody know whether they are legitimate?

Thanks
Cristiano

 

From: "Cristiano" <cristiano.pi@NSquipo.it>

| Kernel Detective
|
| found some modifications in the XP's kernel file ntoskrnl.exe (showed in the
| tab "Kernel Modifications").
| Does anybody know whether they are legitimate?

| Thanks
| Cristiano


You said...
"Does anybody know whether they are legitimate?"

What is/are "they" ? You didn't post any substantiating information.

I suggest you execute Gmer and see what it reports.



--
Dave

Multi-AV -

 

David H. Lipman wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "Cristiano" <cristiano.pi@NSquipo.it>
><!--coloro:green--><span style="color:green <!--/coloro-->
>> Kernel Detective
>>
>> found some modifications in the XP's kernel file ntoskrnl.exe
>> (showed in the tab "Kernel Modifications").
>> Does anybody know whether they are legitimate?<!--colorc--><!--/colorc-->
><!--coloro:green--><span style="color:green <!--/coloro-->
>> Thanks
>> Cristiano<!--colorc--><!--/colorc-->
>
>
> You said...
> "Does anybody know whether they are legitimate?"
>
> What is/are "they" ? You didn't post any substantiating information.<!--colorc--><!--/colorc-->

"some modifications in the XP's kernel file ntoskrnl.exe":

Address: 0x804DCB22
Location: ntoskrnl.exe [.text]
Len: 18
State: Code Modification
Current Value: E0 25 7F FF FF FF 0F 22 E0 0D 80 00 00 00 0F 22 E0 C3
Original Value: D8 0F 22 D8 C3 0F 20 E0 25 7F FF FF FF 0F 22 E0 0D 80
Distination Module: -


Address: 0x804DCB3A
Location: ntoskrnl.exe [.text]
Len: 1
State: Code Modification
Current Value: 00
Original Value: C3
Distination Module: -


Address: 0x804DDA9D
Location: ntoskrnl.exe [.text]
Len: 1
State: Code Modification
Current Value: 06
Original Value: 05
Distination Module: -


Address: 0x804E5511
Location: ntoskrnl.exe [.text]::RtlPrefetchMemoryNonTemporal
Len: 1
State: Code Modification
Current Value: 90
Original Value: C3
Distination Module: -

<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I suggest you execute Gmer and see what it reports.<!--colorc--><!--/colorc-->

No red lines, but there is something:

GMER 1.0.15.15011 [gmer.exe] -
Rootkit scan 2009-08-06 13:20:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF74F2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF74F3340]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89B971E8
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate
Technologies, Inc.)

---- EOF - GMER 1.0.15 ----

The modifications to the file wpsdrvnt.sys should be legitimate because I
have Sygate firewall.

Cristiano

 

From: "Cristiano" <cristiano.pi@NSquipo.it>



| "some modifications in the XP's kernel file ntoskrnl.exe":

| Address: 0x804DCB22
| Location: ntoskrnl.exe [.text]
Len:: 18
| State: Code Modification
| Current Value: E0 25 7F FF FF FF 0F 22 E0 0D 80 00 00 00 0F 22 E0 C3
| Original Value: D8 0F 22 D8 C3 0F 20 E0 25 7F FF FF FF 0F 22 E0 0D 80
| Distination Module: -



Please submit a sample of "ntoskrnl.exe" to Virus Total --

The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


--
Dave

Multi-AV -

 

> | "some modifications in the XP's kernel file ntoskrnl.exe":<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> | Address: 0x804DCB22<!--colorc--><!--/colorc-->
[...]
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Please submit a sample of  "ntoskrnl.exe"  to Virus Total [...]<!--colorc--><!--/colorc-->

This file will not reveal rootkit, this one is probably clean.
It is modification of memory, as you can see from 'Address' line
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> | SSDT sptd.sys<!--colorc--><!--/colorc-->

This one looks like some CD/DVD virtualization methos,
used by Alcohol, but it can be alsoe some nasty roootkit...

Regards,
Kamil Konieczny

 

Kamil Konieczny wrote:<!--coloro:blue--><span style="color:blue <!--/coloro--><!--coloro:green--><span style="color:green <!--/coloro--><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> "some modifications in the XP's kernel file ntoskrnl.exe":<!--colorc--><!--/colorc-->
>><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> Address: 0x804DCB22<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
> [...]
><!--coloro:green--><span style="color:green <!--/coloro-->
>> Please submit a sample of "ntoskrnl.exe" to Virus Total [...]<!--colorc--><!--/colorc-->
>
> This file will not reveal rootkit, this one is probably clean.
> It is modification of memory, as you can see from 'Address' line
><!--coloro:green--><span style="color:green <!--/coloro--><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> SSDT sptd.sys<!--colorc--><!--/colorc--><!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

Very good! Someone knows what we're talking about.
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> This one looks like some CD/DVD virtualization methos,
> used by Alcohol, but it can be alsoe some nasty roootkit...<!--colorc--><!--/colorc-->

I had Daemon Tools installed (now uninstalled), so I hope it was a
legitimate file (I deleted also sptd.sys).

Cristiano