Rootkit:W32/Zxshell.B

Classification

Category :

Malware

Type :

Rootkit

Aliases :

Rootkit:W32/Zxshell.B

Summary

Rootkit:W32/Zxshell.B is dropped by Backdoor:W32/Zxshell.A and basically functions as a protection mechanism for its main payload file.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Rootkit:W32/Zxshell.B tries to protect the main payload DLL file by:

  • Hiding files which contains underscore "_" by installing hooks to the file system driver
  • Attempting to hide the tcp port 443
  • Detect if the following security product exist:
  • NOD32
  • AVP
  • 360Safe
  • AVG
  • Avast
  • AhnSD
  • McShield
  • IceSword

The driver can easily crash the system when it fails in its attempt to hook the kernel drivers, for example the ntfs.sys and tcpip.sys.