Threat Encyclopedia

RTKT_XCP.B

Malware type: Others

Aliases: HideVault (McAfee), Hacktool.Rootkit (Symantec), TR/Drop.HideVault (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

RTKT_XCP.B Behavior Diagram

Malware Overview

This rootkit arrives on a system as part of the Sony MicroVault USM-F fingerprint reader application. The said application allows a user to restrict access to files stored in the Sony MicroVault USM-F USB drive through the recognition of user-preset fingerprints.

Once the application is installed, this rootkit is also installed as a driver which is capable of hiding processes under the Windows folder.

The path and files inside the hidden processes are not visible to the user.

For additional information about this threat, see:

Description created: Aug. 27, 2007 11:03:20 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 25,043 Bytes

Initial samples received on: Aug 27, 2007

Payload 1: Hides processes

Details:

This rootkit arrives on a system as part of the Sony MicroVault USM-F fingerprint reader application. The said application allows a user to restrict access to files stored in the Sony MicroVault USM-F USB drive through the recognition of user-preset fingerprints.

It registers itself as a system service to enable its automatic execution at every system startup. It does this by creating the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\FG

Once the application is installed, this rootkit is also installed as a driver which is capable of hiding processes under the Windows folder.

The path and files inside the hidden processes are not visible to the user.

This rootkit runs on Windows NT, 2000, XP, and Server 2003.

Analysis By: Michael Cabel

Revision History:

First pattern file version: 4.676.01
First pattern file release date: Aug 28, 2007
 
Aug 31, 2007 - Modified Malware Report

SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 8.335.00

Pattern release date: Aug 5, 2011


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as RTKT_XCP.B.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Removing Autostart Key from the Registry

This solution deletes registry keys added by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services
  3. Still in the left panel, locate and delete the key:
    FG
  4. Close Registry Editor.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type the name(s) of the file(s) detected earlier.
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the file then press SHIFT+DELETE.

*NOTE: This is a component file that may come with a main component detected by Trend Micro as another malware. It may also be used by several variants of a certain malware family. If your Trend Micro product detects another malware on your system, refer to the manual removal instructions of that detected malware.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on