Skip navigation.
Home

W32/Rustock.F, a quite unknown Rustock.C dropper

Some days ago a friend of mine posted me a suspicious malware, unfortunately I couldn’t look at it before yesterday night because I was out for work.

By submitting the file to virustotal.com I could see that only the 39,02% of the av recognizes it as a malware (some popular antivirus like Kaspersky or Symantec, for example, don’t recognize it), Microsoft calls it “TrojanDropper:Win32/Rustock.F” while for Panda it is “Trj/Rustock.L”.

As resulting from the analysis this is really a dropper for the famous malware Rustock.C.

A lot of papers has been written on Rustock.C so I will analyze only this dropper in order to make you know that this is a malware even if your antivirus does not signal it as a bad application.

The file I’m talking about is called “is7771.exe”.

In the article I will explain the behaviour of the dropper in details, take a look at it here:


http://revengstuff.wordpress.com/files/2009/09/rustock_f1.pdf

Is it C series really ?

Did you really have Ntldrbot/Rustock C install...

Some evidence's would be appreciated(VT report on unique patched driver+ ARK routine) as the dropper you refer to loads a descendent of Rustock B series so have you made a mistake with how different vendors classify different variants of the Rustock family ?

Sorry for the late, I've

Sorry for the late, I've just seen your comment.
As I said "rustock.C" is the Kaspersky name but this dropper is not recognized from Kaspersky (or better, this is what VirusTotal says), so, here is the link to the VirusTotal report:

http://www.virustotal.com/it/analisis/6ea210f9022f8b1d8f7b6cc73c2496f8b91f96535bd48070bdcc278f2fa4696c-1253059626

Ah all is clearer now and

Ah all is clearer now and just to confirm the *C* your thinking of in your report is not the same *C* that your dropper is importing.
Kaspersky classifies Rustock C series as "Virus.Win32.Rustock.a" because the infamous C is a file infector of sorts(It patch's boot loading drivers).This is the one that generated many write ups and all the hysteria that you are thinking of etc

lol thought C was making a comeback tour...Oh well have TDL3 to go play with now :P

All the best!

Well, I was not speaking

Well, I was not speaking about a comeback tour, in fact the file is not so new but it is still unrecognized by some popular av as Kaspersky and this is why I put the focus on it.
The Kaspersky signature "Virus.Win32.Rustock.a" is relative to the .sys file of rustock.c (Kasp nomenclature) and not to the droppers.
I'm not so sure that every Rustock.C dropper is identified as Virus.Win32.Rustock.a by Kasp.
Regards.

Upload a copy?

Any chance you could upload a copy of this file here? Thanks