- Jan 24, 2011
- 9,378
Researchers from Vietnamese security vendor Bkis warn that removal of a trojan which intercepts network traffic can leave the computer isolated from the network and Internet.
The reason for this lies in the trojan's routine, which involves creating virtual network adapters using the names of existent ones and adding the "-" character at the end.
Bkis detects this threat W32.Ndisvan.Trojan and says its purpose is to filter data passing through network controllers, download additional malware and evade antivirus detection.
The rogue network adapters created by the trojans use a driver called "ndisvvan.sys," which tries to pose as the Windows NDISWAN Miniport Driver, ndiswan.sys.
Bkis senior malware researcher Nguyen Cong Cuong notes that by removing the rogue ndisvvan.sys, the network filter driver chain is broken and data can no longer reach the real network adapter.
Because of this the computer will appear to have no network connection and attempting a normal local area connection repair will not resolve the problem.
"Thus, in this case, when removing virus from the system, in addition to deleting virus files and virus keys, an AV needs to 're-connect' the 'broken' chains in the network filter driver link list," the Bkis researcher explains.
"However, in fact, most of AVs fail to do this, which results in the mentioned phenomenon," he adds, providing a download link to a custom tool he created to fix the issue.
'
More details - link
The reason for this lies in the trojan's routine, which involves creating virtual network adapters using the names of existent ones and adding the "-" character at the end.
Bkis detects this threat W32.Ndisvan.Trojan and says its purpose is to filter data passing through network controllers, download additional malware and evade antivirus detection.
The rogue network adapters created by the trojans use a driver called "ndisvvan.sys," which tries to pose as the Windows NDISWAN Miniport Driver, ndiswan.sys.
Bkis senior malware researcher Nguyen Cong Cuong notes that by removing the rogue ndisvvan.sys, the network filter driver chain is broken and data can no longer reach the real network adapter.
Because of this the computer will appear to have no network connection and attempting a normal local area connection repair will not resolve the problem.
"Thus, in this case, when removing virus from the system, in addition to deleting virus files and virus keys, an AV needs to 're-connect' the 'broken' chains in the network filter driver link list," the Bkis researcher explains.
"However, in fact, most of AVs fail to do this, which results in the mentioned phenomenon," he adds, providing a download link to a custom tool he created to fix the issue.
'
More details - link