Author Topic: Win32:Rootkit-gen [Rtk] found on AutoRun.exe of my 3G mobile broadband modem!  (Read 8653 times)

0 Members and 1 Guest are viewing this topic.

gjnllh

  • Guest
i turned on my computer today, and avast dectected a malware called
Win:32:Rootkit-gen[Rtk] on a filename: G\AutoRun.exe
I automatically pressed delete, but action failed, even "move to chest" option failed as well.

So i went and look for this G:\AutoRun.exe file
and found that it is actually the autorun file of my 3G mobile broadband modem (Huawei)

i've had this modem for like a year already, and this is my first time having told that there's a malware inside

is it false alarm or what should i do then?

thx for your help!

Jtaylor83

  • Guest
Upload the file to VirusTotal and post the results.

gjnllh

  • Guest

Jtaylor83

  • Guest
False Positive. Send file in a password-protected zip folder to virus@avast.com with false positive in Subject and the mentioned password in the email body.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Hi gjnllh,

Establish if it is malware against this analysis of the know malware variant of AutoRun.exe:

1. COVERT ANALYSIS OF: AUTORUN.EXE

    * File Names Used: 20
    * Paths Used: 60
    * Common File Name: AUTORUN.EXE
    * Common Path: ?:\recycler\recycler\
    * Vendor Information: No Vendor details specified
    * Version Information: 1, 0, 0, 1
    * AUTORUN.EXE may use 20 or more path and file names, these are the most common:
    * 1 :%appdata%\microsoft\onecare protection\localcopy\{193FBA3C-6253-4F46-B309-8EF.....EXE
    * 2 :%appdata%\microsoft\onecare protection\localcopy\{54B04E19-AC3C-4D2B-8F0B-2FB.....EXE
    * 3 :%appdata%\microsoft\onecare protection\localcopy\{6AA98007-BC12-4B4B-B518-5C8.....EXE
    * 4 :%appdata%\microsoft\onecare protection\localcopy\{74ED466B-E530-418C-8CA7-50E.....EXE
    * 5 :%appdata%\microsoft\onecare protection\localcopy\{89A4141D-1008-4502-9740-4BF.....EXE
    * 6 :%appdata%\microsoft\onecare protection\localcopy\{8B7B51DD-8E00-4A70-9310-143.....EXE
    * 7 :%appdata%\microsoft\onecare protection\localcopy\{AC0DA932-F122-4FC8-9F14-9CF.....EXE
    * 8 :%windir%\system32\bak\KOFCPFWSVCS.EXE
    * 9 :%WINDIR%\SYSTEM32\KOFCPF~1.EXE
    * 10:%WINDIR%\SYSTEM32\KOFCPFWSVCS.EXE
    * 11:?:\!killbox\KOFCPFWSVCS.EXE
    * 12:?:\!killbox\KOFCPFWSVCS.EXE( 1)
    * 13:?:\000900
    * File Name Structure: Normal
    * File and Path Structure: Suspicious, unusually high number of file and path combinations

2. RELATIONSHIP ANALYSIS OF: AUTORUN.EXE

    * Malicious Objects Created: 5 objects
    * Malicious Creators: 12
    * Malware Run Keys: None
    * Self Persists:
    * Antivirus Detection: No third party antivirus detection observed
    * Anti-Spyware Detection: No third party anti-spyware detection observed

3. ACTIVITY ANALYSIS OF: AUTORUN.EXE

    * The following behaviors have been observed for this object:
    * Installs programs.
    * Deletes programs.
    * Invokes dll components.
    * Registers Browser Help Objects.
    * Creates Run Keys.
    * Modifies the hostsfile.
    * Runs temporary programs.
    * Runs other programs.
    * Communicates with web sites using httpout protocols.
    * Hijacks running processes.
    * Creates known malware.
    * Creates copies of itself.

4. PROPAGATION ANALYSIS OF: AUTORUN.EXE

    * Malware Group Propagation Rate: Moderate (spreading)
    * Malware Group: Covert Sys Exec
    * Copyright Prevx Limited 2005, 2006

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

gjnllh

  • Guest
False Positive. Send file in a password-protected zip folder to virus@avast.com with false positive in Subject and the mentioned password in the email body.

thanks a lot for your help!!  ;D

numbersnletters

  • Guest
I also have this problem - Win32:Rootkit-gen [rtk] found in autorun.exe. However, I can't send it to VirusTotal or put it into a zip folder because I receive a message which says that this (autorun.exe) is an empty file. But when I look at it, it's definitely not empty (76kb).

What to do?

wyrmrider

  • Guest
dear numb
first run the MBAM and SAS scans mentioned above while awaiting a more definitive answer
there are several autoruns malware