Troj/NtRootK-I is a kernel driver rootkit.
When first run Troj/NtRootK-I copies itself to <System>\RtKit\rtkit.exe and creates the following files:
<System>\RtKit\globalc.dll - detected as Troj/NtRootK-I
<System>\RtKit\npf.sys - generic packet filter driver
<System>\RtKit\rtkit.log - this file is not malicious and can be deleted
Troj/NtRootK-I sets the following registry entries to run npf.sys at startup:
HKLM\SYSTEM\CurrentControlSet\Services\NPF
HKLM\SOFTWARE\rtkit\
Once installed, Troj/NtRootK-I opens a backdoor on TCP port 445 to await instructions from a remote attacker.
Troj/NtRootK-I then proceeds to stealth itself by hiding the folder RtKit from the Windows Explorer.
Troj/NtRootK-I includes functionality to:
- steal confidential information and log keystrokes
- carry out DDoS flooder attacks
- silently download software
- hide registry entries
- hide folders
- list, hide and terminate processes
- open a remote command shell