KVBOOT.SYS – Trojan Artemis removal

KVBOOT.SYS size: 2816 bytes
KVBOOT.SYS hash: 77C806FFEF43A59B92CB8EC8279B7BEE

Created files:

%WinDir%\inf\atm.ldb
%WinDir%\inf\atm.PNF
%SysDir%\drivers\Kvboot.sys
%SysDir%\drivers\TdiFilter.sys
%SysDir%\drivers\xArpProto.sys
%SysDir%\LDAPSVC.dll

Autostart registry keys:

HKLM\System\CurrentControlSet\Services\KVBOOT\Type: 01000000
HKLM\System\CurrentControlSet\Services\KVBOOT\DisplayName: KVBOOT
HKLM\System\CurrentControlSet\Services\KVBOOT\ImagePath: System32\DRIVERS\Kvboot.sys
HKLM\System\CurrentControlSet\Services\KVBOOT\Group: Boot Bus Extender
HKLM\System\CurrentControlSet\Services\LDAPSVC\Type: 20000000
HKLM\System\CurrentControlSet\Services\LDAPSVC\Start: 02000000
HKLM\System\CurrentControlSet\Services\LDAPSVC\DisplayName: LDAP Service
HKLM\System\CurrentControlSet\Services\LDAPSVC\ImagePath: %SystemRoot%\System32\svchost.exe -k LDAPSVC
HKLM\System\CurrentControlSet\Services\LDAPSVC\Parameters\ServiceDll: 2500530079007300740065006D0052006F006F00740025005C00730079007300740065006D00330032005C004C004400410050005300560043002E0064006C006C000000
HKLM\System\CurrentControlSet\Services\TdiFilter\Start: 03000000
HKLM\System\CurrentControlSet\Services\TdiFilter\Type: 01000000
HKLM\System\CurrentControlSet\Services\TdiFilter\ImagePath: 730079007300740065006D00330032005C0064007200690076006500720073005C00540064006900460069006C007400650072002E007300790073000000

Detected by UnHackMe:

KVBOOT.SYS
Default location: %SYSDIR%\DRIVERS\KVBOOT.SYS

Dropper information:
MD5: 33a4fed818d37a01f2ee4de4a0c0f0a5
File size: 48640 bytes