14 DAY TRIAL // Security researchers from BitDefender have come across a new rootkit, which seems designed to drop a lot of adware programs on the infected systems.
Detected as Rootkit.Woor.A, the malware installs itself as a randomly named service and runs as a system driver. This allows it to perform actions with kernel privileges.
The rootkit overwrites the legit explorer.exe with a malicious version, which is subsequently called during the normal system boot process.
When started, the rogue explorer.exe makes sure every component of this threat is running properly and that the unauthorized registry keys it needs are in place.
It then proceeds to load the legit Windows Explorer from the system's dll cache, making it appear to the victim as if everything is functioning properly.
The rootkit also interferes with the operation of antivirus programs and other system monitoring application by preventing their execution on the system.
This is done by creating entries under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFile Execution Options//Debugger" specifying that these security programs should be started with "ntsd.exe -d" (Symbolic Debugger for Windows).
"The option -d states that all debugger output should be sent to the kernel debugger; so, either because ntsd doesn't exist on the local machine or there is no kernel debugger attached (this being the regular situation), the targeted executable will not start," the BitDefender researchers explain.
Another component of this threat is called SafeDrvse1.exe and it infects Internet Explorer. It is dropped with "hidden" and "system" attributes in the \Program Files\Common Files\ folder.
A startup registry key is added for the file under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
The researchers warn that this component proceeds to download all sorts of adware-like programs, such as games, video players or streaming and instant messaging utilities.
The rogue programs ask users to pay for licenses and having so many installed on the computer can affect its performance considerably.