Jump to content


Photo

Recently Appearing Trojan Ntos.exe


  • This topic is locked This topic is locked
3 replies to this topic

#1 fatdcuk

fatdcuk

    Member

  • Members
  • PipPip
  • 24 posts

Posted 18 November 2006 - 04:24 PM

24 April 2007 IMPORTANT NOTE:
This information was posted November of 2006 about a (then) new emerging threat. The 3rd party solutions implied therein may not work properly on recent variants. Because newer variants may have emerged since, and old variants now removed by appropriated Security Software, I am closing this topic because it is now OUT OF DATE information . Should anyone have similar issues and need help with removal, please run a full system scan with an updated version of Ad-Aware and post your scan log for review into a NEW TOPIC.
Thank you!
CalamityJane


Security heads up,new emerging trojan ntos.exe

Ok folks i have been seeing this file appear since the October 25/10/06 but judging by the research paper linked it has been with us for a little while now but is being seen with more frequency recently.A big thanks and debt of respect to Secure Science corps and Michael Ligh for their indebt analysis of this emerging trojan threat.
http://www.securesci...ecasestudy.html


Because of the nature of this trojans operation i feel it needs to get some publicity since at the moment not many vendors are not up with it(as with the Gromozon trojan) & google search dose not reveal too much information.

I have seen the trojan imported as a stand alone infection and also as part of a massive CWS/infection in the past weeks.

FAO HJT log experts,one of the following 2 entries will signify the presents of this trojan.Its removal is not difficult,kill the principal executable(Ntos.exe) and the infection/effects are neutered.

O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
or
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\Userinit.exe,D:\WINDOWS\system32\ntos.exe

The bad news is as with Morphine z-lob this trojan is now being repacked as regular as clockwork(names,file size etc) to evade detections & cleaning routines but yet still retaining its thoroughly unpleasent operative capabilities listed in the PDF research paper.

1st ntos.exe sample uploaded to MIRT site
http://www.castlecop...y_ntos_exe.html
MIRT handler :)
http://www.castlecop...m/c55-MIRT.html

Malware hunter....Got Bot ?

#2 fatdcuk

fatdcuk

    Member

  • Members
  • PipPip
  • 24 posts

Posted 18 November 2006 - 04:25 PM

...continued.

2nd ntos.exe sample uploaded to MIRT site
http://www.castlecop...y_detected.html
MIRT handler :)
http://www.castlecop...m/c55-MIRT.html

Malware hunter....Got Bot ?

#3 woodensword

woodensword

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 15 April 2007 - 05:58 PM

Ok,

I read the Secure Science corps paper regarding the ntos.exe and followed the removal instruction that it suggests.

To my frustation by deleting the ntos.exe file i could never log on to windows again. I searched throught the net but i could not find any solution rather than deleting the file ntos.exe and registry keys after closing winlogon.exe handle to ntos.exe.

No antivirus/security program seems able to remove the malware.

Nevertheless the solution that worked with me and i would like to share was after simply after deleting the ntos.exe restoring the windows registry from a point:

http://www.housing.h...store-point.htm

Thank you

#4 RekaTech admin

RekaTech admin

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 15 April 2007 - 08:38 PM

OK, hopefully this will help someone. I have just found a work around for the NTOS.exe. I found as has been previously mentioned that i was unable to get into Windows XP after removing the said file. However i was able to to access Window's in safe mode.

When in safe mode i did a search in explorer for "ntos"... where i deleted all traces of the file appart from ntos.exe.000

I renamed ntos.exe.000 to ntos.exe and hey presto i was able to gain access to windows.

Hopefully someone more technical than myself will find this usefull, i presume that the file called ntos.exe.000 was the original file that was renamed by the trojan.. so by deleting the others and renaming it back all seems ok.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users