Removal of NIC-Hijacking Malware Leads to Network Connection Problems

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
Researchers from Vietnamese security vendor Bkis warn that removal of a trojan which intercepts network traffic can leave the computer isolated from the network and Internet.

The reason for this lies in the trojan's routine, which involves creating virtual network adapters using the names of existent ones and adding the "-" character at the end.

Bkis detects this threat W32.Ndisvan.Trojan and says its purpose is to filter data passing through network controllers, download additional malware and evade antivirus detection.

The rogue network adapters created by the trojans use a driver called "ndisvvan.sys," which tries to pose as the Windows NDISWAN Miniport Driver, ndiswan.sys.

Bkis senior malware researcher Nguyen Cong Cuong notes that by removing the rogue ndisvvan.sys, the network filter driver chain is broken and data can no longer reach the real network adapter.

Because of this the computer will appear to have no network connection and attempting a normal local area connection repair will not resolve the problem.

physical-connection-zoom.png


"Thus, in this case, when removing virus from the system, in addition to deleting virus files and virus keys, an AV needs to 're-connect' the 'broken' chains in the network filter driver link list," the Bkis researcher explains.

"However, in fact, most of AVs fail to do this, which results in the mentioned phenomenon," he adds, providing a download link to a custom tool he created to fix the issue.
'
More details - link
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top