Does SAS detect Win32.Ntldrbot?

I would like to know as Im not sure my F-Secure does.

 

Not at the moment but give Nick sometime and maybe he will write new detection module as he did for MBR kit recently

F-secure will not see ntldrbot if it is loaded...

 

See suitably vague / evasive reply on the official SAS forum……
http://forums.superantispyware.com/viewtopic.php?p=8487#8487

 

They now state SAS does detect Rustock.C

 

Not vague at all. I asked a specific question "Does SAS detect Rustock.C" The answer was that it "should" detect it.

I then ask agin if they confirm if it does or not and they do not answer as there are no standard names for these things.

I then say it is only known by tow names and asked them to say if they detect it or not

Only then do they say they definately detect Rustock.C

I suggest you try being less rude and obesrve the facts better in future.

 

If SAS can detect and remove Rustock.C, it means that Rustock.C is on your HDD. ~off topic comment removed....Bubba~ So why is Rustock.C so scaring, if it is so easy to remove ? I don't need 240 posts to clean this one.

 

I have replied to this comment in ntldrbot topic and still standby what is posted in my reply post to you

Just to clear up this little bit of grey area around what is Rustock C for Nick.Here is a collection of useful reference reading/support data on ntldrbot aka Rustock C!

http://www.drweb.com/upload/6c5e138..._DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf

http://www.rootkit.com/newsread.php?newsid=879

http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html

http://translate.google.com/transla...sis?pubid=204007614&hl=en&ie=UTF8&sl=ru&tl=en

HTH

 

I'm not normally a blacklist scanner user, but I can confirm that on a system infected with the "xyyy" rustock.c sample (from Offensive Computing) the latest SAS Free and sigs detect nothing (while CureIt does).

What's more interesting, though, is that on this test machine (E6700 C2D, XP SP2) some aspects of the rootkit are visible within XP's bootlog, within regedit, and within the system32\drivers folder.

Nick

Some examples:

...Loaded driver \SystemRoot\system32\drivers\AsIO.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\a12e891a.sys
Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \??\C:\Program Files\ProSecurity\ProSecur.sys
Loaded driver \SystemRoot\System32\Drivers\DefragFS.SYS...

 

If you wouldn't mind, would you send those samples to nicks AT superantispyware.com and I will personally analyze them immediately and ensure we remove the strain you have on your system.

 

Not a problem. Sent.

Nick

 

I thought Rustock.C was completely invisible, obvious not. I don't see much difference between Rustock.C and any other malware. It installs objects like any other malware.
Of course the execution is more complicated, but it has to change your system first and what is changed can be replaced or removed in several ways. Is that the scaring Rustock.C ? Pffft.
A rootkit that infects your motherboard, VGA card, etc. that is scaring.

 

Now this will be confusing...

Nick S,
a12e891a.sys is Trojan downloader.agent.ddl It is agent and not Rustock C/spambot.

It no longer imports ntldrbot/Rustock C as the download from 208.66.194.215 appears to be yanked.

With that there is no reason that SAS once it *knows* the down-loader agent cannot detect and remove the Agent bot

 

Not confusing. I suspected something was broken. Wireshark shows the 208.66.194.215 attempts.

Nick

 

out of curiocity...would that malware succesfully install its driver and infect the system in LUA as well?