rootkit: dcprotect.sys
Closed this issue · 1 comments
bundled with chinese application "DrvCeo" is a set of rootkits:
encrypted 7z archive (password: 3BuW!$2PDVP^!Mc9u*AJ3CEasM4JDmgg
) containing the drivers:
https://www.virustotal.com/gui/file/68485b81c96438a821c3a11557ac6551a02e78d7c37152be2c266d2c08955136
drivers themselves:
https://www.virustotal.com/gui/file/55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03
https://www.virustotal.com/gui/file/1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3
https://www.virustotal.com/gui/file/c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633
https://www.virustotal.com/gui/file/f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6
https://www.virustotal.com/gui/file/ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8
https://www.virustotal.com/gui/file/9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504
https://www.virustotal.com/gui/file/3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb
https://www.virustotal.com/gui/file/b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71
the malicious functionality:
- prevents registry value writing where the registry key or value includes "dcprotect" or "drvceo"
- prevents file deletion if pathname contains "driverdownload", "program files\sysceo", "program files (x86)\sysceo"