PDA

View Full Version : Gmer 1.0.14

SystemJunkie
January 2nd, 2008, 04:06 AM
Nice new features (Registry, File Viewer) in the new Version and new messages:
---- User code sections - GMER 1.0.14 ----
? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\GDI32.dll PE header mismatch;
? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\ntdll.dll PE header mismatch;
? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\GDI32.dll PE header mismatch;

C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\ole32.dll PE header mismatch; unknown module: msvcrt.dll
? C:\WINDOWS\Gmer.exe[744] C:\WINDOWS\system32\USER32.DLL PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\Programme\COMODO\Firewall\cmdagent.exe[1164] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\Explorer.EXE[1624] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll
? C:\WINDOWS\regedit.exe[1680] C:\WINDOWS\system32\USER32.dll PE header mismatch; unknown module: MSIMG32.dllunknown module: POWRPROF.dllunknown module: WINSTA.dll

Looks like detection ability of polymorphic viruses isn´t it? Google found not much related to pe header mismatch only one doc about polymorphic parvo.a virus from 1999.

Probably these messages are nothing unusual(maybe originated in some security apps) but I guess this pe header stuff is also a tactic of old polymorphic viruses. Beside this old method fooled already behavior blockers 10 years ago... I always said it is a very old story, this rootkit stuff is nothing modern it looks like it has a long stealthed history based on old specialized stealth viruses.
Tarq57
January 2nd, 2008, 06:26 AM
Is this a Beta?
SystemJunkie
January 2nd, 2008, 07:32 AM
-{ Quote: "Is this a Beta?" }-Yes it is a beta.
fcukdat
January 2nd, 2008, 06:47 PM
Hey SystemJunkie,

Just a little head's up....try not to work up too much excitement;)

http://www2.gmer.net/mbr/

It is no longer POC theory but now found ITW malware:blink: :o
ErikAlbert
January 3rd, 2008, 12:00 AM
-{ Quote: "Hey SystemJunkie,

Just a little head's up....try not to work up too much excitement;)

http://www2.gmer.net/mbr/

It is no longer POC theory but now found ITW malware:blink: :o" }-
How do you get this rootkit on your computer ?
lucas1985
January 3rd, 2008, 11:28 AM
As an email attachment or a drive-by download. Your zero tool can kill it.
ErikAlbert
January 3rd, 2008, 07:53 PM
-{ Quote: "As an email attachment or a drive-by download. Your zero tool can kill it." }-
Yes my zero tool will do it.
Email-attachment is hardly possible, not the way I treat my spam-emails : no opening and immediate delete.
Drive-by download is possible, but I assume that Sandboxie will isolate it and clean it up, when it empties the sandbox.
EASTER
January 3rd, 2008, 11:08 PM
Eureka!

Finally a Gmer version that WORKS! for me. I like it and best of all it's finally stable. :thumb:
SystemJunkie
January 5th, 2008, 04:48 PM
-{ Quote: "Just a little head's up....try not to work up too much excitement " }-
I know that this is maybe only 5%-10% of the real unknown phantom we are hunting. This is no breakthrough it is just a little step toward the right direction.

Malware Type II and III still remains a massive problem where most AVs and ARKs actually have 0 chance.

-{ Quote: "Drive-by download is possible, but I assume that Sandboxie will isolate it and clean it up, when it empties the sandbox." }-As long as the malware doesn´t know that it resides inside your box..... and assumed your sandbox has no issues ;-)
SystemJunkie
January 13th, 2008, 09:21 AM
But the latest version also tends to false alarms:
http://i17.tinypic.com/85bbyme.png

Known/safe apps should not be displayed in red, imho.
proactivelover
January 23rd, 2008, 10:23 AM
one more FP
IT'S Virtual CD - Windows 2000 / XP Driver
Hermescomputers
January 23rd, 2008, 09:17 PM
Came up clean on my box.. no FP, no trouble... nice! ;D