Content
AFXrootkit
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 01/14/2004
- Length
- Various
- Minimum DAT
- 4228 (07/02/2003)
- Updated DAT
- 4611 (10/24/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 04/15/2004
- Description Modified
- 07/29/2004 1:05 AM (PT)
Tab Navigation
Characteristics
There are many versions of this remote access trojan. Customers are advised to use the latest engine and DATs for optimal detection.
This detection is for a stealthing trojan rootkit intended to compromise victim machines. Once fully installed on the victim machine, the malware is capable of stealthing itself, hiding any of the following:
- running processes
- files on disk
- Registry keys
- open ports
Typically, the malware will install 3 files to the victim machine (the filenames will obviously vary). The target directory may also vary, but will typically by %WinDir% or %WinDir%\System32. For example:
- %WinDir%\SYSTEM32\CONF.COM
- %WinDir%\SYSTEM32\CONFMSER.DLL
- %WinDir%\SYSTEM32\CONFMSUR.DLL
The central binary will hook system startup, typically via a Registry key. For example:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "CONF.COM" = %WinDir%\SYSTEM32\CONF.COM
Symptoms
Once fully installed on the victim machine there may not be any suspicious symptoms evident due to the stealthing nature of this malware.
Method of Infection
This remote access trojan uses a 3rd party library to hook system APIs in order to stealth its activity on the victim machine.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Aliases
- Hacktool.Rootkit (Symantec)
- TROJ_MADTOL.A (Trend)
- Trojan.Win32.Madtol.a (Kaspersky)
- Win32.Afrootix (CA Vet)
Characteristics
Characteristics -
There are many versions of this remote access trojan. Customers are advised to use the latest engine and DATs for optimal detection.
This detection is for a stealthing trojan rootkit intended to compromise victim machines. Once fully installed on the victim machine, the malware is capable of stealthing itself, hiding any of the following:
- running processes
- files on disk
- Registry keys
- open ports
Typically, the malware will install 3 files to the victim machine (the filenames will obviously vary). The target directory may also vary, but will typically by %WinDir% or %WinDir%\System32. For example:
- %WinDir%\SYSTEM32\CONF.COM
- %WinDir%\SYSTEM32\CONFMSER.DLL
- %WinDir%\SYSTEM32\CONFMSUR.DLL
The central binary will hook system startup, typically via a Registry key. For example:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "CONF.COM" = %WinDir%\SYSTEM32\CONF.COM
Symptoms
Symptoms -
Once fully installed on the victim machine there may not be any suspicious symptoms evident due to the stealthing nature of this malware.
Method of Infection
Method of Infection -
This remote access trojan uses a 3rd party library to hook system APIs in order to stealth its activity on the victim machine.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
