Rootkit trj/CI.A

I am finishing up on this Dell Inspiron Mini 10 that came in for virus remediation.  The owner didn’t call HARD DRIVE to remove the viruses, they called to find out what we would charge to capture data and photographs.  They knew that the infection was so bad that it was unlikely to be repaired.  When intrusion becomes this bad, even if we are able to remediate the problem, often we find the operating system has been compromised, many times, beyond repair.

To date I have found 1133 viruses in this one computer.                                                  Computer Symptoms:                                                                                                           1) Slow to start                                                                                                                      2) Extremely sluggish to move around to different screens                                               3) No Icons in the start window                                                                                             4) no Icons in the All Programs window

In other word this computer has been rendered unusable, a) because it is painfully slow and b) because it is unnavigable.

The primary reason for this article is that during remediation I found a particularly nasty Rootkit, trj/CI.A.  It is likely that this one intrusion is responsible for all the other infections.  The CIA Rootkit is known by many different names:

[Kaspersky] Backdoor.Ciadoor.10.b, Backdoor.Ciadoor.11.a, Backdoor.Ciadoor.11.c, Backdoor.Ciadoor.11.b, Backdoor.Ciadoor.10.a, Backdoor.Ciadoor.121, Backdoor.Win32.Ciadoor.102, Backdoor.Win32.Ciadoor.12.a, Backdoor.Win32.Ciadoor.121, Backdoor.Win32.Ciadoor.a, Backdoor.Win32.Ciadoor.logger
[Eset] Win32/Ciadoor.11.A trojan, Win32/Ciadoor.11.C trojan, Win32/Ciadoor.121.Logger trojan
[McAfee] BackDoor-ASB
[F-Prot] security risk or a “backdoor” program, security risk named W32/CYAdoor.A
[Panda] Backdoor Program, Bck/Ciadoor, Backdoor Program.LC, Bck/Ciadoor.10, Bck/Ciadoor.B, Bck/Ciadoor.H, Constructor/Ciadoor.A, Trojan Horse

CIA virus is categorized as:


A trojan is a program that is disguised as legitimate software but is designed to carry out some harmful actions on the infected computer.

Unlike viruses and worms, trojans don’t replicate but they can be just as destructive.

These days trojans are very common. Trojans are divided into a number different categories based on their function or type of damage.


Spyware is designed to gather data from a computer and transfer it to a third party without the consent or knowledge of the computer’s owner. This includes collecting confidential information (passwords, credit card numbers, PIN numbers, etc.), monitoring key strokes, gathering e-mail addresses, or tracking surfing habits. Such resource-consuming activities slow down the system and generally impact the computer’s performance.

“Spyware” is an umbrella term for a diverse group of malware-related programs, rather than a clear-cut category. Most spyware definitions apply not only to adware, pornware and ‘riskware’ programs, but to many trojans as well.


Of all trojans, backdoor trojans pose the greatest danger to users’ PCs because they give their authors remote control over infected computers. They are downloaded, installed, and run silently, without the user’s consent or knowledge. Upon installation, backdoor trojans can be instructed to send, receive, execute and delete files, gather and transfer confidential data from the computer, log all activity on the computer, and perform other harmful activities.


Remote Access Tool. A program that enables a hacker to remotely access and control other people’s computers. A RAT can serve a variety of malicious purposes, including hijacking and transferring private information, downloading files, running programs, and tampering with system settings.

Hacker Tool

Hacker tools are utilities designed to help hackers gain control of remote computers in order to use them as zombies (in DoS attacks, for example), download other malicious programs into those computers, or use them for other malicious purposes.

How Did My PC Get Infected with CIA?

The following are the most likely reasons why your computer got infected with CIA:

  • Your operating system and Web browser’s security settings are too lax.
  • You are not following safe Internet surfing and PC practices.


Small-charge or free software applications may come bundled with spyware, adware, or programs like CIA. Sometimes adware is attached to free software to enable the developers to cover the overhead involved in created the software. Spyware frequently piggybacks on free software into your computer to damage it and steal valuable private information.

Using Peer-to-Peer Software

The use of peer-to-peer (P2P) programs or other applications using a shared network exposes your system to the risk of unwittingly downloading infected files, including malicious programs like CIA.

Visiting Questionable Web Sites

When you visit sites with dubious or objectionable content, trojans-including CIA-, spyware, and adware, may well be automatically downloaded and installed onto your computer.

Detecting CIA

The following symptoms signal that your computer is very likely to be infected with CIA.

PC is working very slowly
CIA can seriously slow down your computer. If your PC takes a lot longer than normal to restart or your Internet connection is extremely slow, your computer may well be infected with CIA.

New desktop shortcuts have appeared or the home page has changed
CIA can tamper with your Internet settings or redirect your default home page to unwanted web sites. CIA may even add new shortcuts to your PC desktop.

Annoying popups keep appearing on your PC
CIA may swamp your computer with pestering popup ads, even when you’re not connected to the Internet, while secretly tracking your browsing habits and gathering your personal information.

E-mails that you didn’t write are being sent from your mailbox
CIA may gain complete control of your mailbox to generate and send e-mail with virus attachments, e-mail hoaxes, spam, and other types of unsolicited e-mail to other people.

I hope that this article will shed some light on the importance of thinking twice before acting when downloading and web surfing.  Remember that Rootkits are by nature undetectable that is their primary function.  By themselves they are not a virus but a carrier and generally speaking they are also not a large program.  The trj/CI.A is reported to be only 10,240 bytes and it did all this damage to this Del Mini.


Leave a Reply

Your email address will not be published. Required fields are marked *