[Malware Review] Rootkit Advertises Games and Media Applications

Highly specialized rootkit driver transforms the users

Losing control of your system is frustrating and it may get costly when an infected instance of Internet Explorer® has as purpose the subtle downloading, installing and running of certainadware-like applications such as games, video players, streaming and instant messaging utilities.

Adware is an industry of itself that brings piles and piles of money, and this is exactly why it has degenerated from considerate opt-out software offerings into automated installers that won’t even announce the user that the desired application will bring all its friends to the shareware fiesta.

Jammed with all these unwanted applications, the system will visibly slow down and its performance will obviously drop in no time. And what’s even worse is the fact that certain antivirus solutions and standard monitoring tools will be deactivated leaving the system almost completely unprotected.

True to its breed, Rootkit.Woor.A registers two temporary services under random names. The first is a legitimate driver, used by the malware to terminate the processes of known antiviruses, the second is nothing else but a driver meant to give the malware all the necessary privileges to overwrite explorer.exe on disk. This way it will be able to run as Windows®Explorer® at start up through system’s userinit.exe process.

Disguised as Internet Explorer, the malware will firstly make sure the infectious files and registry keys are in place, and secondly restore the legitimate explorer.exe from dll cache and run it as if nothing happened – keeping thus the appearances while the users are in the dark about the “morbid” reality on their computer.

AutoRun.inf and SafeDrvse1.exe are discreetly hidden in the root of the disk drive. SafeDrvse1.exe can be found in the Program FilesCommon Files directory, but it is rigged with  Hidden and System attributes, which means that the user will not be able to see it if they accidentally get there. This starts along with Windows Explorer at boot time, as instructed through the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun registry key.

Additionally, Rootkit.Woor.A takes some caution steps so as to avoid being detected or removed from the system: it stops the execution of certain antivirus suites and system monitoring application that are listed in a file.  The malware will require that these programs are debugged with ntsd.exe -d debugger when launched into execution. The option -d states that all debugger output should be sent to the kernel debugger; so, either because ntsd doesn’t exist on the local machine or there is no kernel debugger attached (this being the regular situation), the targeted executable will not start.  All this is possible because of a new entry in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionImageFile Execution Options/<the exe>/Debugger with “ntsd -d” value for each of the applications mentioned above.

The technical information in this article is available courtesy of BitDefender virus researchers Mihail Andronic and Balázs Biro.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.