|
Noskrnl is not a new rootkit. It is a new version of Spooldr rootkit.
Noskrnl rootkit is spread by e-mail. Often attachment has the file name: "SuperLaugh.exe" or the similar name.
RegRun detects the working driver (not hidden) during the "Scan for Viruses" process:
Also it detects the open process immediately after reboot:
But the noskrnl.exe file is hidden by rootkit technology.
New version of Spooldr "Noskrnl" doesn't change standard Windows tcpip.sys driver.
Noskrnl uses "noskrnl" subkeys in the HKLM\System\CurrentControlSet\Services and under all other "ControlSet" keys.
How rootkit works?
The Windows starts the loading "noskrnl.sys" driver.
"Noskrnl.exe" starts from registry Run key.
Driver is used for hiding the rootkit files.
Noskrnl.exe is used for propagation.
Noskrnl.config is located in the Windows folder. It sets the used port and some other settings.
RegRun Reanimator detects the "Noskrnl.sys" driver and "Noskrnl.exe" and it removes both without problems.
In addition, we need to remove "Noskrnl.config" from the Windows folder.
Conclusion
Download RegRun Reanimator (free of charge, no ads):
http://www.greatis.com/reanimator.zip
Suggest you to use RegRun Platinum Edition to be sure that your rootkit's clear!
Good luck!
Dmitry Sokolov
|
RegRun Security Suite
