A Weekend Of RootKits: Figaro.sys Rootkit

Posted by malwarekilla
August 23, 2008

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

I took a few appointments this weekend and witnessed the same infection over and over again...Figaro.sys. The Figaro.sys rootkit is dropped in c:\windows\system32\drivers (on vista) and on XP i've seen it in the DLLCACHE folder.

I don't know exactly what it does but I can give you the symptoms:

  1. Random reboots
  2. Virtumonde drops
  3. Very slow logins

I removed Figaro.sys with Killbox (quick and dirty removal utility).  Combofix was run, however it DID NOT detect this rootkit.  I should mention that detection was made possible via KAV 7.

Malware Warnings, rootkits, , , ,

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

WOW
last day i had a rotkit but not like yours
but my pc olso robot every 5-10 mints
i kill hem with AVIRA antiVir AVIRA have a manual scan for rotkits ..
he find hem and kild hem ^^

Comment by Bar on August 24, 2008 @ 6:20 pm

Yup, Avira does a great job at killing rootkits.

Comment by malwarekilla on August 26, 2008 @ 1:25 am
Leave a comment

(required)

(required)