Rootkits are used to hide system information, such as running processes, files, or registry entries. This technology is used in creating a tools that helps in hacking other machines. First 4 Internet Ltd has developed a tool that is a valid Digital Rights Management Software package. As a standalone application, it is non-malicious but some of the malicious application use it to hide their infiltrated files and auto start registry entries thus making the detection more difficult.
This rootkit is installed in :C:" that is system folder and in windows sub-folder using a file name ARIES.SYS. The said rootkit is then executed as a service by an installation package and is configured to execute at every system startup by creating the following registry entries
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$aries
There are two malware that will utilize this tool BKDR_BREPLIBOT.C , BKDR_BREPLIBOT.D.
Removal:
Take a back up of registry before you edit any thing in registry for this tool. Disable System Restore.
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services - Still in the left panel, locate and delete the subkey:
$sys$aries - Close Registry Editor.
0 comments:
Post a Comment