Skip navigation.
Home

Rootkit.Win32.Agent.akga - AKGA rootkit

A friend of mine was infected with this Rootkit, I thank him for contributing the sample.

He saved the sys file from a backup, and uploaded it for us at Rapidshare.

http://rapidshare.com/files/359540439/xeortd.rar

A thread discussing behavioral details, and removal instructions for the rootkit
Courtesy of Spybot S&D - http://forums.spybot.info/showthread.php?&t=55711

I tried viewing the SYS file with Wordpad (not a disassembler) and found APIs like IoDeleteDevice and APIs which are hidden.
The file infects ntoskrnl.exe, so it is clearly a rootkit - exhibiting kernel infection behavior.

Cheers,
Kish

Hi, unfortunately rapidshare

Hi,

unfortunately rapidshare reached 10 downloads, can you reupload it?

Thanks,
Giuseppe 'Evilcry' Bonfa'

Evilcry, RS Mirror:

Evilcry,

RS Mirror: http://rapidshare.com/files/363424615/xeortd.rar

Pls upload it to OC and paste the hash, out of time here.

Cheers,
Kish

--
Remember there is alwayz someone who knows more than us out there