   AVZ  4.32
   14.02.2010 15:51:11
 :  - 263455,  - 2,   - 56,   12.02.2010 21:37
  : 379
  : 9
    : 170506
  :   
 : 
 Windows: 5.1.2600, Service Pack 2 ; AVZ    
 : 
1.  RootKit  ,   API
1.1   API,   UserMode
  kernel32.dll,      .text
 kernel32.dll:GetProcAddress (409) ,  ProcAddressHijack.GetProcAddress ->7C80ADC0->7C883FEC
 kernel32.dll:LoadLibraryA (579) ,  ProcAddressHijack.GetProcAddress ->7C801D77->7C883F9C
 kernel32.dll:LoadLibraryExA (580) ,  ProcAddressHijack.GetProcAddress ->7C801D4F->7C883FB0
 kernel32.dll:LoadLibraryExW (581) ,  ProcAddressHijack.GetProcAddress ->7C801AF1->7C883FD8
 kernel32.dll:LoadLibraryW (582) ,  ProcAddressHijack.GetProcAddress ->7C80AE6B->7C883FC4
  IAT: LoadLibraryA - 7C883F9C<>7C801D77
  IAT: GetProcAddress - 7C883FEC<>7C80ADC0
  ntdll.dll,      .text
  user32.dll,      .text
 user32.dll:RegisterRawInputDevices (546) ,  ProcAddressHijack.GetProcAddress ->7E3BCD4C->7E400010
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=082880)
  ntoskrnl.exe      804D7000
   SDT = 80559880
   KiST = 804E26A8 (284)
 NtClose (19)  (80566F49->F48CF370),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtConnectPort (1F)  (8058B738->F48CD420),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateKey (29)  (8056E9A9->F48C07A0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateProcess (2F)  (805B0199->F48CF0A0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateProcessEx (30)  (80582016->F48CF210),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateSection (32)  (8056481B->F48CFE70),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateSymbolicLinkObject (34)  (805A034A->F48CF940),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtCreateThread (35)  (8057C37E->F48D07B0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtDeleteKey (3F)  (80594D25->F48C08A0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtDeleteValueKey (41)  (805936FB->F48C0920),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtDuplicateObject (44)  (80574006->F48CF510),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtEnumerateKey (47)  (8056F0B0->F48C09B0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtEnumerateValueKey (49)  (8057EBEF->F48C0A60),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtFlushKey (4F)  (8059D370->F48C0B10),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtInitializeRegistry (5C)  (805A6DBB->F48C0B90),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtLoadDriver (61)  (805A3000->F48CCFD0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtLoadKey (62)  (805ADB7C->F48C1590),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtLoadKey2 (63)  (805AD9CA->F48C0BB0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtNotifyChangeKey (6F)  (8058FE26->F48C0C80),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtOpenFile (74)  (80571073->F7549020),  C:\WINDOWS\system32\Drivers\kl1.sys,    
 NtOpenKey (77)  (80567EFB->F48C0D60),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtOpenProcess (7A)  (805741E6->F48CEE90),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtOpenSection (7D)  (805785EF->F48CFCA0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtQueryKey (A0)  (8056EDB9->F48C0E30),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtQueryMultipleValueKey (A1)  (8064D0DC->F48C0EE0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtQuerySystemInformation (AD)  (8057D666->F48D0460),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtQueryValueKey (B1)  (8056B303->F48C0F90),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtReplaceKey (C1)  (8064DA16->F48C1040),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtRequestWaitReplyPort (C8)  (805770DF->F48CDA00),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtRestoreKey (CC)  (8064C534->F48C10D0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtResumeThread (CE)  (8057C9F1->F48D0760),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSaveKey (CF)  (8064C5DB->F48C12D0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSetContextThread (D5)  (8062C8FF->F48D0AE0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSetInformationFile (E0)  (805792F1->F48D10A0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSetInformationKey (E2)  (8064CC3F->F48C1360),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSetSecurityObject (ED)  (8059B11F->F48CBC20),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSetSystemInformation (F0)  (805A6934->F48CFB20),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSetValueKey (F7)  (8057516D->F48C1400),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSuspendThread (FE)  (805DFC3D->F48D0710),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtSystemDebugControl (FF)  (80648893->F48CD2E0),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtTerminateProcess (101)  (80584781->F48D0300),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtUnloadKey (107)  (8064C80D->F48C1550),  C:\WINDOWS\system32\drivers\klif.sys,    
 NtWriteVirtualMemory (115)  (8057F055->F48CF3D0),  C:\WINDOWS\system32\drivers\klif.sys,    
 FsRtlCheckLockForReadAccess (80503289) -   .  JmpTo. jmp F48D14C0 \??\C:\WINDOWS\system32\drivers\klif.sys,    
 IoIsOperationSynchronous (804E875A) -   .  JmpTo. jmp F48D19C0 \??\C:\WINDOWS\system32\drivers\klif.sys,    
 : 284, : 43, : 0
1.3  IDT  SYSENTER
    1
  IDT  SYSENTER 
1.4     
      
   
1.5   IRP
\FileSystem\ntfs[IRP_MJ_CREATE] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_CLOSE] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_WRITE] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_EA] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_PNP] = 853721F8 ->   
\FileSystem\FastFat[IRP_MJ_CREATE] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_CLOSE] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_WRITE] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_SET_EA] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_PNP] = 8445F500 ->   
  
2.  
   : 26
 -   1356 C:\WINDOWS\system32\ctfmon.exe
[ES]:    
[ES]:   
[ES]:   !!
 -   288 C:\Program Files\Bible Verse\verse.exe
[ES]:   !!
 -   2948 C:\WINDOWS\system32\taskmgr.exe
[ES]:   
[ES]:   
[ES]: DLL RASAPI - ,     ?
   : 400
  
3.  
  C:\WINDOWS\system32\drivers\sptd.sys
4.  Winsock Layered Service Provider (SPI/LSP)
  LSP .   
5.    // (Keylogger,  DLL)
6.    TCP/UDP,   
   
7. c  
      AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
 
8.   
>> :     TermService ( )
>> :     SSDPSRV (  SSDP)
>> :     Schedule ( )
>> :     RDSessMgr (      )
> :   -           (,     ...)!
>> :     CDROM
>> :       (C$, D$ ...)
>> :      
>> :     
 
9.     
 
 : 5667,   : 509,    0,  - 0
   14.02.2010 15:53:47
  00:02:39
            ,
      - http://virusinfo.info
  : 1.    RootKit UserMode  KernelMode
1.1   API,   UserMode
  kernel32.dll,      .text
 kernel32.dll:GetProcAddress (409) ,  ProcAddressHijack.GetProcAddress ->7C80ADC0->7C883FEC
 kernel32.dll:GetProcAddress (409) 
 kernel32.dll:LoadLibraryA (579) ,  ProcAddressHijack.GetProcAddress ->7C801D77->7C883F9C
 kernel32.dll:LoadLibraryA (579) 
 >>>  LoadLibraryA -   AVZ      !!)
 kernel32.dll:LoadLibraryExA (580) ,  ProcAddressHijack.GetProcAddress ->7C801D4F->7C883FB0
 kernel32.dll:LoadLibraryExA (580) 
 >>>  LoadLibraryExA -   AVZ     !!)
 kernel32.dll:LoadLibraryExW (581) ,  ProcAddressHijack.GetProcAddress ->7C801AF1->7C883FD8
 kernel32.dll:LoadLibraryExW (581) 
 kernel32.dll:LoadLibraryW (582) ,  ProcAddressHijack.GetProcAddress ->7C80AE6B->7C883FC4
 kernel32.dll:LoadLibraryW (582) 
  IAT: LoadLibraryA - 7C883F9C<>7C801D77
  IAT : LoadLibraryA
  IAT: GetProcAddress - 7C883FEC<>7C80ADC0
  IAT : GetProcAddress
  ntdll.dll,      .text
  user32.dll,      .text
 user32.dll:RegisterRawInputDevices (546) ,  ProcAddressHijack.GetProcAddress ->7E3BCD4C->7E400010
 user32.dll:RegisterRawInputDevices (546) 
  advapi32.dll,      .text
  ws2_32.dll,      .text
  wininet.dll,      .text
  rasapi32.dll,      .text
  urlmon.dll,      .text
  netapi32.dll,      .text
1.2   API,   KernelMode
   
 SDT  (RVA=082880)
  ntoskrnl.exe      804D7000
   SDT = 80559880
   KiST = 804E26A8 (284)
 NtClose (19)  (80566F49->F48CF370),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtConnectPort (1F)  (8058B738->F48CD420),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtCreateKey (29)  (8056E9A9->F48C07A0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtCreateProcess (2F)  (805B0199->F48CF0A0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtCreateProcessEx (30)  (80582016->F48CF210),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtCreateSection (32)  (8056481B->F48CFE70),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtCreateSymbolicLinkObject (34)  (805A034A->F48CF940),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtCreateThread (35)  (8057C37E->F48D07B0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtDeleteKey (3F)  (80594D25->F48C08A0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtDeleteValueKey (41)  (805936FB->F48C0920),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtDuplicateObject (44)  (80574006->F48CF510),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtEnumerateKey (47)  (8056F0B0->F48C09B0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtEnumerateValueKey (49)  (8057EBEF->F48C0A60),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtFlushKey (4F)  (8059D370->F48C0B10),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtInitializeRegistry (5C)  (805A6DBB->F48C0B90),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtLoadDriver (61)  (805A3000->F48CCFD0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtLoadKey (62)  (805ADB7C->F48C1590),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtLoadKey2 (63)  (805AD9CA->F48C0BB0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtNotifyChangeKey (6F)  (8058FE26->F48C0C80),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtOpenFile (74)  (80571073->F7549020),  C:\WINDOWS\system32\Drivers\kl1.sys,    
>>>  c  !
>>>   
 NtOpenKey (77)  (80567EFB->F48C0D60),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtOpenProcess (7A)  (805741E6->F48CEE90),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtOpenSection (7D)  (805785EF->F48CFCA0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtQueryKey (A0)  (8056EDB9->F48C0E30),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtQueryMultipleValueKey (A1)  (8064D0DC->F48C0EE0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtQuerySystemInformation (AD)  (8057D666->F48D0460),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtQueryValueKey (B1)  (8056B303->F48C0F90),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtReplaceKey (C1)  (8064DA16->F48C1040),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtRequestWaitReplyPort (C8)  (805770DF->F48CDA00),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtRestoreKey (CC)  (8064C534->F48C10D0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtResumeThread (CE)  (8057C9F1->F48D0760),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSaveKey (CF)  (8064C5DB->F48C12D0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSetContextThread (D5)  (8062C8FF->F48D0AE0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSetInformationFile (E0)  (805792F1->F48D10A0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSetInformationKey (E2)  (8064CC3F->F48C1360),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSetSecurityObject (ED)  (8059B11F->F48CBC20),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSetSystemInformation (F0)  (805A6934->F48CFB20),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSetValueKey (F7)  (8057516D->F48C1400),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSuspendThread (FE)  (805DFC3D->F48D0710),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtSystemDebugControl (FF)  (80648893->F48CD2E0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtTerminateProcess (101)  (80584781->F48D0300),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtUnloadKey (107)  (8064C80D->F48C1550),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 NtWriteVirtualMemory (115)  (8057F055->F48CF3D0),  C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
>>>   
 FsRtlCheckLockForReadAccess (80503289) -   .  JmpTo. jmp F48D14C0 \??\C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
 IoIsOperationSynchronous (804E875A) -   .  JmpTo. jmp F48D19C0 \??\C:\WINDOWS\system32\drivers\klif.sys,    
>>>  c  !
 : 284, : 43, : 45
1.3  IDT  SYSENTER
    1
CmpCallCallBacks = 0013976F
Disable callback OK
  IDT  SYSENTER 
1.4     
      
   
1.5   IRP
\FileSystem\ntfs[IRP_MJ_CREATE] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_CLOSE] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_WRITE] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_EA] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 853721F8 ->   
\FileSystem\ntfs[IRP_MJ_PNP] = 853721F8 ->   
\FileSystem\FastFat[IRP_MJ_CREATE] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_CLOSE] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_WRITE] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_SET_EA] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 8445F500 ->   
\FileSystem\FastFat[IRP_MJ_PNP] = 8445F500 ->   
  
