AFX Windows Rootkit 2003

· Overview ·
· Origins ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Vendor Notes:

 From the doc: 'AFX Windows Rootkit 2003
This software generates a system patch that will hide processes, files, folders registry keys and netstat entries from Windows 95/98/ME/NT/2k/XP/2003. Information is withheld based on 4 lists of mask strings. This enables you to apply wildcards to hiding functions such as hiding files based on "*.exe" or netstat entries based on "*TCP*:80*" to hide http traffic.
The "example.exe" include is preconfigured to hide all processes/files and keys matching "~~*" and all "*TCP*" traffic. The installer copies itself to the system directory and extracts 2 DLL files from it's resources. It saves the files as "iexplore.exe" and "explorer.exe". The first dll is loaded into "explorer.exe" which then installs hooks contained in "explorer.dll".
To configure a custom rootkit run "RootKit.exe" and click "Help" and make sure to compress your installer!
Aphex'

Alias:

 AFXrootkit [McAfee], Bck/Ratsou.A [Panda], Trojan Horse [Panda], Trojan.Win32.Delf.m [Kaspersky], Trojan.Win32.Madtol.a, Trojan.Win32.Madtol.a [Kaspersky], Win32.Afrootix [Computer Associates], Win32/Afrootix!Trojan [Computer Associates], Win32/Madtol.A trojan [Eset]

Category:

Misc Tool: Any tool that might be used in planning an attack on a system, developing tools for such an attack, or performing it.

Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Similar Pests:

 Misc Tool · Backdoor · Trojan

Origins

Author:

 Aphex

Programming Language:

 Delphi

Date of Origin:

 April, 2003

Operation

Storage Required:
  • AFX Windows Rootkit 2003: at least 961 KB
    		•

    ScreenShot:


    AFX Windows Rootkit 2003

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove AFX Windows Rootkit 2003 from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 March 02, 2005