Virus Detail

Win32.Efewe.H

Date Published:
21 Aug 2005

Last Updated:
23 May 2006

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: Medium

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: Win32/Efewe, Win32/Efewe.H!Trojan, FURootkit (McAfee), W32/FUrootkit.D (F-Secure), Hacktool.Rootkit (Symantec), TROJ_ROOTKIT.N (Trend), Troj/Rootkit-AA (Sophos), Rootkit.Win32.Agent.ae (Kaspersky)

Immediate Protection Info

Signature	Product	Removal Instructions
23.70.15	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/9318	eTrust Antivirus v7/8* (Vet Engine)	View
6.2x/9318	eTrust EZ Antivirus 6.2x	View
6.3x/9318	eTrust EZ Antivirus 6.3x	View
6.4x/9318	eTrust EZ Antivirus 6.4x	View
7.x/9318	eTrust EZ Antivirus 7.x	View
10.6x/9318	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Win32.Efewe.H is a detection of the open source rootkit FU.

A rootkit is an application that allows an intruder to hide malicious activity on a previously compromised machine. Using a rootkit, an attacker can hide processes, files, registry keys and communication channels.

Win32.Efewe.H hides the attackers actions by changing data structures in the kernel. This rootkit only functions on Windows NT-based operating systems (i.e. - NT/2000/XP/2003).

Computer Associates have received reports from the wild of this rootkit's driver being used by other malware in order to hide their own processes. Examples of such malware include:

Win32.Petribot

Users should note that this detection most likely indicates further system compromise. Should this detection continue to be triggered even after the offending file is removed, (or in other words, the file keeps re-appearing) please contact technical support for additional guidance.

Note: Computer Associates have received reports of Win32.Efewe.H being dropped onto systems by Win32.Petribot variants. Please see elsewhere in our encyclopedia for further information on these worms.