I hope that I am posting in the right part of CastleCops forum ...


You see, it's that I've found this info in a recent thread on Sysinternals forums titled "Italian Nightmares www .google. com = BAD" (I needed to add spaces for proper link's formatting); in it, there is a link to gromozon.pdf PDF-file that contains all the details about it and it's written by Marco Giuliani, member of the Malware Research group ...


The infection itself is apparently started from some certain websites that contain in their code a link to a JavaScript hosted on another server. It uses a complex "dynamically loaded" PHP-script which depending on the browser's user agent (i.e. depending on the browser, each user will receive a different type of infection), and now comes the nasty part. Immediately after that, the malware creates a new fake user acount with a random name and a random password. It then performes a check of installed software on the PC (i.e. it checks for antivirus software), and now there are two options of a further mess that it's doing (please prepare, this is also nasty):

1. It creates a new file of random name and size (I guess with a purpose to "host" the rootkit code), under "C:\Program Files\Common Files\system" (or sometimes under "Microsoft Shared" directory instead of "system") which is encrypted using the Windows Encrypting File System (EFS) feature so that only the fake account has rights to it, preventing any other user from moving, reading, or deleting it.

2. It copies the rootkit code into the Alternate Data Stream (ADS) of a file or directory, which is then used for the "rootkit software" to write into it and is hidden from most file-managers and some of antivirus programs.


Now fter the rootkit is fully loaded, it hides the APPInit_DLLs key and hides the LinkOptimizer. And now again a nasty part. After this is done, the rootkit removes the SeDebugPrivilege privilege to all Windows user accounts, which will in turn prevent some anti-rootkit programs from running (for example, the F-Secure BlackLight Beta), and then the rootkit component is launched with fake user account rights so that removing the ADS streams are even harder than removing the reserved-name version.


Currently it appears that there is no automatic solution yet for cleaning this infection (and since the rootkit itself is hidden into an ADS, there is no complete working cleaning procedure), and users can only use some programs together which can be difficult for many users. The most important thing is to deactivate the rootkit, and removing all of the files is just a bonus.


P.S. -- Oh and yes, it looks like the rootkit component is detected by Kaspersky as: Trojan.Win32.RKDice.a, but not every variant is detected because there are a lot of different variants. The newest versions of the rootkit appear to implement a checksum scanner to prevent the execution of anti-rootkit software like GMER, The Avenger and IceSword.


satyr

See also the The_Gromozon_Rootkit_-_Detection_and_Removal CastleCopsWiki article composed by Negster.

Thanks for letting me know, I really thought it's somehing totally new ...


satyr