Swatkat's rants

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, 23 June 2007

InternetGameBox Rootkit

Posted on 03:37 by Unknown
InternetGameBox touts itself as software, which allows you to play online, flash based online games. But, InternetGameBox is much more than gaming! It's an adware which uses Navipromo rootkit to hide its traces! As soon as InternetGamebox client program is installed from their website, the installer drops few files to System32 directory and creates a randomly named process which is hidden from user mode APIs.

This is how InternetGameBox client looks like:

Here's a screen shot of hidden process:

Files and Registry keys hidden by Navipromo:


Surprisingly, the hidden executable is barely detected by AVs. Here's a screen shot of Virus.org Malware Scanner showing the scan result of the executable. It can be seen that only ArcaVir was able to detect it heuristically:

InternetGameBox' Navipromo rootkit can be completely removed using the Navilog1 tool. A tutorial to use the Navilog1 tool to remove Navipromo can be found at CastleCops Wiki.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Ax Video Plugin
    Ax Video Plugin is one of the latest fake codec/plugin in the block. The site http://axvideodownload.com/ uses the same old fake "Vide...
  • Javacool EULAlyzer!
    Have you ever read those ultra-long EULA (End User License Agreement) pages while you are installing any software? I think no one will read ...
  • Zlob brings back fake MP3s!
    Last August, I had blogged about Zlob gang using fake MP3 download sites to push their malware (link here ). Afterwards, we started to see m...
  • twitcurl - C++ twitter API library
    twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be upd...
  • ThinkPoint rogue antivirus
    ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. ...
  • Rootkit detection, removal and prevention!
    Here's a Wiki definition for Rootkit: A Rootkit is a set of software tools frequently used by a third party (usually an intruder) after...
  • Antivirus 360 featured in top PC magazines and antivirus certification labs!
    No, we are not talking about Norton 360 , which is a genuine security software. This is about Antivirus 360 , one of the latest rogue securi...
  • yelpcurl - C++ Yelp API library
    yelpcurl is an open-source, pure C++ wrapper for Yelp's RESTful APIs . The library currently supports all the APIs provided by Yelp. yel...
  • Windows Filtering Platform (WFP) user mode examples
    So far, in Windows 2000/XP/2003 operating systems the packet filtering APIs ( PfXxx APIs) were used to implement TCP/IP packet filtering a...

Categories

  • a.exe
  • Autohotkey
  • C++
  • fake mp3 downloads
  • gop.exe
  • NewMediaCodec
  • OAuth
  • Orkut hating virus
  • Privacy Protector
  • rootkit
  • SysProt AntiRootkit
  • TDSServ rootkit removal
  • twitCurl
  • twitter
  • Udefender
  • Ultimate Cleaner
  • vdo_
  • Zlob
  • Zlob rootkit

Blog Archive

  • ►  2013 (1)
    • ►  June (1)
  • ►  2010 (6)
    • ►  October (2)
    • ►  September (2)
    • ►  July (1)
    • ►  April (1)
  • ►  2009 (12)
    • ►  September (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ►  January (5)
  • ►  2008 (44)
    • ►  December (6)
    • ►  November (6)
    • ►  October (4)
    • ►  September (15)
    • ►  August (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (1)
    • ►  March (6)
    • ►  January (1)
  • ▼  2007 (38)
    • ►  December (1)
    • ►  November (2)
    • ►  October (9)
    • ►  September (2)
    • ►  August (8)
    • ►  July (11)
    • ▼  June (3)
      • AVSystemCare – New fake anti-malware
      • InternetGameBox Rootkit
      • Update! SysProt AntiRootkit v1.0.0.4 Beta
    • ►  March (2)
  • ►  2006 (6)
    • ►  September (1)
    • ►  August (2)
    • ►  May (1)
    • ►  February (2)
  • ►  2005 (30)
    • ►  December (2)
    • ►  November (2)
    • ►  October (4)
    • ►  September (5)
    • ►  August (11)
    • ►  July (6)
Powered by Blogger.

About Me

Unknown
View my complete profile