Recently Appearing Trojan Ntos.exe
Posted 18 November 2006 - 04:24 PM
This information was posted November of 2006 about a (then) new emerging threat. The 3rd party solutions implied therein may not work properly on recent variants. Because newer variants may have emerged since, and old variants now removed by appropriated Security Software, I am closing this topic because it is now OUT OF DATE information . Should anyone have similar issues and need help with removal, please run a full system scan with an updated version of Ad-Aware and post your scan log for review into a NEW TOPIC.
Security heads up,new emerging trojan ntos.exe
Ok folks i have been seeing this file appear since the October 25/10/06 but judging by the research paper linked it has been with us for a little while now but is being seen with more frequency recently.A big thanks and debt of respect to Secure Science corps and Michael Ligh for their indebt analysis of this emerging trojan threat.
Because of the nature of this trojans operation i feel it needs to get some publicity since at the moment not many vendors are not up with it(as with the Gromozon trojan) & google search dose not reveal too much information.
I have seen the trojan imported as a stand alone infection and also as part of a massive CWS/infection in the past weeks.
FAO HJT log experts,one of the following 2 entries will signify the presents of this trojan.Its removal is not difficult,kill the principal executable(Ntos.exe) and the infection/effects are neutered.
O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\Userinit.exe,D:\WINDOWS\system32\ntos.exe
The bad news is as with Morphine z-lob this trojan is now being repacked as regular as clockwork(names,file size etc) to evade detections & cleaning routines but yet still retaining its thoroughly unpleasent operative capabilities listed in the PDF research paper.
1st ntos.exe sample uploaded to MIRT site
Malware hunter....Got Bot ?
Posted 15 April 2007 - 05:58 PM
I read the Secure Science corps paper regarding the ntos.exe and followed the removal instruction that it suggests.
To my frustation by deleting the ntos.exe file i could never log on to windows again. I searched throught the net but i could not find any solution rather than deleting the file ntos.exe and registry keys after closing winlogon.exe handle to ntos.exe.
No antivirus/security program seems able to remove the malware.
Nevertheless the solution that worked with me and i would like to share was after simply after deleting the ntos.exe restoring the windows registry from a point:
Posted 15 April 2007 - 08:38 PM
When in safe mode i did a search in explorer for "ntos"... where i deleted all traces of the file appart from ntos.exe.000
I renamed ntos.exe.000 to ntos.exe and hey presto i was able to gain access to windows.
Hopefully someone more technical than myself will find this usefull, i presume that the file called ntos.exe.000 was the original file that was renamed by the trojan.. so by deleting the others and renaming it back all seems ok.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users