Possible rootkit behavior [Vista x86]?

[BehindEnemyLines]

I found a kernel module/driver loaded in memory using GMER, IceSword, and Rootkit Unhooker (latest versions). There is a particular file that I am unable to locate. It's "supposed" to be located in C:\Windows\System32\Drivers\a????????.SYS even though I had already selected to show all hidden and system files.

That particular module always changes its name with the following characteristics.

1. Always start with a???????.sys
2. Always 8 characters in length
3. Always 421888 bytes in size

http://img294.imageshack.us/my...image=icesword1xo2.jpg
http://img294.imageshack.us/my...image=icesword2sm1.jpg
http://img459.imageshack.us/my...ootkitunhooker1ah5.jpg
http://img187.imageshack.us/my...ootkitunhooker2yv9.jpg

The last image was taken with my digi camera since a screenshot was too slow before BSOD. It's basically: avp3lewx.sys, 0x8ACCF000, 421888, [apv3lewx.sys] [SCSIPORT.SYS] [sptd.sys] [????] [ntkrnlpa.exe]

IceSword wasn't able to provide much details although it works fine. It has an option to browse the file structure, but I couldn't find those files when using it. Windows Explorer doesn't see it either.

Rootkit Unhooker keeps causing BSOD with IRQ_NOT_LESS_OR_EQUAL. I only managed to get two screenshots with Rootkit Unhooker before the system restarts from BSOD.

The only software I currently have are Daemon Tools (v4.10 x86 latest), NOD32 v2.70.39, SUPERAntiSpyware (latest), SpywareTerminator (v2.0.0.93 latest). Also have Supreme Commander installed (possible copy protection scheme here?).

Other than those programs, I don't see any other legit software or Windows' core require to change the filename upon every restart. What can it possibly be? Is it a driver from those programs above? That doesn't make a lot of sense since I ran each program separately AND only after each restart.

 

[mechBgon]

Do you have any reason to suspect malware (ran a new downloaded file or something)?

BTW GMER also has a filesystem browser, I used that the other day to harvest a rootkit that was BSODing normal attempts to snare the .sys file.

 

[BehindEnemyLines]

I haven't been using this family desktop much since I am on the laptop much more these days. There's no reason for me to suspect malware since this computer hasn't been subjected to dangerous websites or software. I sometimes run these rootkit detectors to see if NOD32 missed anything and someone did something stupid.

From GMER using its builtin CMD filesystem browser:

copy c:\windows\system32\drivers\astampnu.sys c:\rootkitmaybe.bak

c:\windows\system32\drivers\astampnu.sys
The system cannot find the file specified.
0 file(s) copied.

RKU can also copy the file as well, BUT the computer BSOD in just a few seconds (sometimes much faster) whenever I launch RKU - too fast for me to locate the driver, right-click it, select Copy File, and then save it.

Is it possible the driver detects RKU and purposely cause the BSOD, or is it simply a matter of compatibility? Does the module need an external executable to change its name or is that done "automatically" by the module itself?

Just curious what is responsible for this driver, how it got there, why is it running, and what the heck is it doing.

 

[BehindEnemyLines]

I loaded Windows XP on VMware and tried to reinstall the exact software that are on the desktop. Because the Reference from within RKU refers to [SCSIPORT.SYS] [sptd.sys], I thought maybe install Daemon Tools v4.10 SPTD v1.50 first (since sptd.sys was installed when Daemon was installed).

I first took note of all the drivers from RKU, and then I installed Daemon Tools. After restarting and completing the installation, the same file with the same three characteristics appear. It's Daemon Tools v4.10 or SPTD v1.50 that introduces the weird behavior of the file.

I don't know what it is or whether it has malicious purposes. If anyone wants the dump from RKU (can't copy file), then please let me know.

Results from VirusTotal.com

File Dumped421888.sys received on 09.18.2007 01:01:59 (CET)
.
.
Sunbelt 2.2.907.0 2007.09.15 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 2007.09.17 Virus.Win32.FileInfector.gen (suspicious)
.
.
File size: 421888 bytes
MD5: 5f7aa938518d34233945c2493415ed08
SHA1: b70f2a9f29eb178e8723eb6ba79572e6c7532ea6
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

 

[BehindEnemyLines]

Can anyone with Daemon Tools verify this? The latest version of 4.10 with STPD v1.5 *will* have a non-visible driver with those characteristics (you can't find it). I had an older laptop with version 4.09 which had the same characteristics EXCEPT the file size is different. You will need GMER: http://www.gmer.net/index.php (it'll require admin rights and doesn't BSOD on Vista).

 

[Schadenfroh]

Rootkit revealer picks up the SPTD (SCSI Pass-Thru Driver) common to Alcohol 52 / 120% and Daemon tools on my system (I am using Alcohol 52%).

 

[Nocturnal]

You either have Alcohol or Daemon Tools installed. If I use the Ewido AntiRootkit, it picks up something similar. If I delete it or unhook it, something else respawns. It's the two programs, guarantee.

 

[BehindEnemyLines]

I guess it's nothing to worry about; however; I do wonder what are the purposes for such behavior.

 

[Nocturnal]

Originally posted by: BehindEnemyLines
I guess it's nothing to worry about; however; I do wonder what are the purposes for such behavior.

IIRC it's to beat the security of many games. Such as mounting an image of Quake 3 or whatever new game you have, in order for it to register as a disk, they need to hide something. I'm sure if you Google it the reason for this behavior is out there.