 |
 |
UnHackMe |  |
||||||||||||||||||||||||||||
|
• Greatis | |
|
• AppDatabase | |
 |
|
• Utilities | |
|
|
• Delphi/CB | |
|
|
• Visual Basic | |
|
|
• .NET | |
|
|
• Outsourcing | |
||||||
|
|||||||||||||||||||||||||||||||
|
Spooldr rootkit is spread by e-mail. Often attachment has the file name: "ecard.exe" or the similar name. UnHackMe detects the working driver (not hidden) during the "Scan for Viruses" process:
Also it detects the open process immediately after reboot:
But the spooldr.exe file is hidden by rootkit technology.
The main interesting thing is how does "Spooldr" automatically start after reboot. I used the Bootlog XP software to track the boot process. I found that the spooldr.sys is started immediately after "%SysDir%\Drivers\tcpip.sys". I checked the file sign of the tcpip.sys and I found that it is not signed. However the original tcpip.sys is signed.
I discovered the contents of the "tcpip.sys" and found the string "spooldr.sys" in the end of the file.
How rootkit works? The virus in the TCPIP.SYS is used for loading "spooldr.sys" driver. After that the driver executes "spooldr.exe" and hides the executable file. Spooldr.exe is used for propagation.
UnHackMe detects the "spooldr.sys" driver and it removes the driver at the next reboot. After that we can simply delete spooldr.exe and restore old tcpip.sys in the %SysDir%\Drivers and in the %SysDir%\dllcache folders. In addition, we need to remove "spooldr.exe" from the Windows Firewall Exclusion list. Also, delete the "spooldir.ini" from "Documents and Settings\UserName" fodler.
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
