Rootkit Kryptik.ABX in atapi.sys ( CsimPlayer.exe )

On Friday, December 11 a trojan horse got it’s way into my Windows.

It all started with AVAST trowing these warnings:

11/12/2009 23:08:51 xxx 412 Sign of “Win32:Malware-gen” has been found in “C:\WINDOWS\TEMP\~TM1F1A.tmp” file.

I told AVAST to delete ~TM1F1A.tmp, but avast apparently didn’t delete the file. Shortly after AVAST complained about a system file:

11/12/2009 23:10:08 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\drivers\atapi.sys” file.
11/12/2009 23:10:37 xxx 412 Sign of “Win32:Cutwail-AD [Trj]” has been found in “C:\WINDOWS\system32\dllcache\atapi.sys” file.

Then I looked at the running processes.

A process called CsimPlayer.exe was running and had two child processes svchost.exe attached to it.

Running a SHA Hash comparison between CsimPlayer.exe and the tmp-file confirmed that CsimPlayer.exe was indeed ~TM1F1A.tmp, the file AVAST identified as malware. The same CsimPlayer was added to the startup registry tree : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ( C:\\WINDOWS\\system32\\CsimPlayer.exe” )

In the meantime a CMD (command prompt) process was eagerly active tunning a batch called fjhdyfhsn.bat. The batch command file contained following statements (a loop trying to delete firefox… ):

The BAT file was dropped on my system at 11 december 23:08, moments before the ~temp files.
troj1

Another file called siszyd32.exe was dropped in the StartUp folder.

I still don’t know what it was and why Avast isn’t detecting it. I will keep you posted if more info is available.

At the mean time try following:

Removal Instructions

You’ve got this malware probably because java, flash or acrobat aren’t up to date. Older versions are insecure and potentially exposes your system to security threats! Scan your system with this online scanner.

Removal:

Get Malwarebytes’ Anti-Malware

Leave a Reply

Your email address will not be published.

Bad Behavior has blocked 2278 access attempts in the last 7 days.