Rustock.C
Rustock.C is a Trojan that has affected thousands of computers worldwide. Assimilate vital details about Rustock.C and avoid becoming a victim.
The Rustock.C is one of the hardest Trojans to detect and decipher. It can cause a lot of problems from spamming to deleting files. The proceeding information will help you understand facts about this program.
How the Malware Works
This program affects computers running Windows operating systems. When it gets inside a system, it will install files with names like glaide32.sys and null.sys. It may also replace beep.sys with a corrupted version.
The Trojan will add the following files to the Windows Registry:
HKLMSYSTEMCurrentControlSetServiceswuauserv
ImagePath
%fystemRoot%system32svchost.exe -k netsvcs
HKLMSYSTEMCurrentControlSetServicesBITS
ImagePath
%fystemRoot%System32svchost.exe -k netsvcs
The key words there are “fystemRoot”, which overwrites the original “SystemRoot”.
It has also been reported that the program installs a file or files in the temp folder in Windows. It may also create several files with the extension .sys in the WindowsSystem folder.
Effects on Computers
The Rustock.C Trojan goes after several drivers. Specifically it goes after the files in the WindowsSytem32Drivers folder. The Trojan also bypasses firewalls. Another reason why this malware is so hard to remove is because it targets the basic Microsoft drivers.
Instead of eliminating drivers, it merges with those in the boot and system sector. Among the files it attacks are fastfat.sys, and ntfs.sys. It also has the ability to move from one system driver to another.
These drivers are integral to running your system and by altering them the malware can wreck havoc on your system. Everything from slowdown, error messages and software problems will emerge. It can also affect your Internet connection. The malware connects to remote servers and floods your email with spam.
It should be stated that Rustock.C affects computers in different ways. Some report that the malware downloads other dangerous programs into the system. There are some that filter and seize control of other functions like graphics and the communication in subsystems. It is also built to withstand debugging. It also manipulates the different processes associated with the kernel mode.
How it Performs Spamming
Analysis of the malware revealed some variants in existence. They are named C1, C2, C3 and C4. They differ slightly in size (from 150,000 to 250,000 bytes). The biggest difference between the variants are the DLL codes used for spamming. Based on the information obtained by experts the DLL implants itself in the system memory.
Once in place the Rustock.C fuses it with the winlogon.exe file. It connects to a remote server and obtains spam. This will then be distributed to several computers. Unlike other malware, the file is embedded in RAM, not the hard disk.
Removal and Prevention
If your system is already infected perform a full scan. Do not backup files now. Wait until the antivirus has removed all traces of it. Restart the PC and check the different applications. Some would recommend that you reinstall the Windowssystem32drivers with the ones from your CD. If you are running Windows Vista, upgrade to x32 SP1.
As with other Trojans, viruses and other malware the key to stopping Rustock.C is by practicing safe computing. Upgrade PC software and do virus scans frequently and you won’t have troubles.