Rootkits are used to hide system information, such as running processes, files, or
registry entries. This technology is used in creating a tools that helps in hacking other machines.
First 4 Internet Ltd has developed a tool that is a valid Digital Rights Management Software package. As a standalone application, it is non-malicious but some of the malicious application use it to hide their infiltrated files and auto start registry entries thus making the detection more difficult.
This rootkit is installed in :C:" that is system folder and in windows sub-folder using a file name
ARIES.SYS. The said
rootkit is then executed as a service by an installation package and is configured to execute at every system startup by creating the following registry entries
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$aries
This hides files folders and registry keys the begin with the string
$sys$ in the Windows operating system. This prevents the user from viewing any files, folders and registry keys that begin with the said string.
There are two malware that will utilize this tool BKDR_BREPLIBOT.C , BKDR_BREPLIBOT.D.
Removal:
Take a
back up of registry before you edit any thing in registry for this tool. Disable System Restore.
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
- Still in the left panel, locate and delete the subkey:
$sys$aries
- Close Registry Editor.
Scan your computer in safe mode with a good anti-virus like Trend Micro, Symantec to remove the files that are installed by malware that uses this tool and also this tool. Even online scanners like
Housecall,
Rootkit revealer, avast online scanner etc will detect this tool and will remove it.