Virus Detail

Win32/Tesllar.P

Date Published:
28 Jul 2008

Last Updated:
28 Jul 2008

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: Medium

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: Rootkit.Win32.Agent.aol (Kaspersky), TROJ_AGENT.ARMZ (Trend), Trojan.Garntet (Symantec), VirTool:WinNT/Mader.E (MS OneCare), Troj/NtRootK-DQ (Sophos)

Immediate Protection Info

Signature	Product	Removal Instructions
31.6.5924	CA Antivirus 2007	View
31.6.5924	eTrust Antivirus v7/8*	View
7.x/5924	eTrust EZ Antivirus 7.x	View
31.6.5924	Vet 7	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Win32/Tesllar.P is a trojan that uses a malicious kernel-mode device driver to stealth its presence on a compromised machine. This malware cannot install itself on a machine, but rather depends on another executable for installation and instruction.

Tesllar.P implements a rootkit technique by modifying the System Service Descriptor Table (SSDT) and hooking the following kernel functions:

NTClose/ZwClose
NTCreateKey/ZwCreateKey
NTDeleteKey/ZwDeleteKey
NTDeleteValueKey/ZwDeleteValueKey
NTLoadKey/ZwLoadKey
NTOpenKey/ZwOpenKey
NTQueryValueKey/ZwQueryValueKey
NTReplaceKey/ZwReplaceKey
NTRestoreKey/ZwRestoreKey
NTSetValueKey/ZwSetValueKey

This allows the trojan to restore itself and related registry modifications if a user attempts to remove or delete it.

Analysis by Methusela Ferrer