Content

NTRootKit

Type
Trojan
SubType
Tool
Discovery Date
10/10/2001
Length
Varies
Minimum DAT
4166 (10/17/2001)
Updated DAT
4166 (10/17/2001)
Minimum Engine
5.1.00
Description Added
12/11/2002
Description Modified
07/23/2003 10:53 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The NTRootKit is a hacker tool, used after an attacker has gained admin access to a Windows NT/2K system. Once the NTRootKit has been installed, an attacker can perform various functions, including:

  • Hide processes, files, registry keys
  • View typed keystrokes
  • Crash Windows (BSOD)
  • Redirect executable files

Symptoms

Presence of the files _root_.sys and deploy.exe

Method of Infection

This is an attack tool used by a hacker. Once installed, the attacker can potentially upload other tools, trojans, etc and conceal them with the aid of this rootkit.

Removal

All Users :
From a command prompt stop the _root_ service by typing "net stop _root_". Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Hacktool.WNT.Rootkit (Symantec)
  • NTRootKit-A
  • TROJ_ROOTKIT (Trend)
  • WinNT.RootKit (CA)

Characteristics

Characteristics -

The NTRootKit is a hacker tool, used after an attacker has gained admin access to a Windows NT/2K system. Once the NTRootKit has been installed, an attacker can perform various functions, including:

  • Hide processes, files, registry keys
  • View typed keystrokes
  • Crash Windows (BSOD)
  • Redirect executable files

Symptoms

Symptoms -

Presence of the files _root_.sys and deploy.exe

Method of Infection

Method of Infection -

This is an attack tool used by a hacker. Once installed, the attacker can potentially upload other tools, trojans, etc and conceal them with the aid of this rootkit.

Removal -

Removal -

All Users :
From a command prompt stop the _root_ service by typing "net stop _root_". Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A