detecting a rootkit using _root_regedit.exe

Discussion in 'malware problems & news' started by iceni60, Nov 25, 2004.

Thread Status:
Not open for further replies.
  1. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i was reading this , half way down the page to the task manager picture, and it says...

    A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs.

    is it really that easy to find a rootkit?
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi iceni60,

    I believe that the "_root_" wildcard only works with the "NT Rootkit", which has not been updated in a few years.

    Nick
     
  3. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, Nick. that makes alot of sense. i should have know from what had been said before, that it was an early rootkit. thanks [​IMG]
     
Loading...
Thread Status:
Not open for further replies.