Rustock C no longer a myth, no longer a threat

Discussion in 'other anti-virus software' started by Meriadoc, May 6, 2008.

Thread Status:
Not open for further replies.
  1. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web (story) scanner detects and cures it for real.
     
  2. Jadda

    Jadda Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    429
    Amazing! Congrats!
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    You can also scan for Win32.Ntldrbot using the free CureIt! utility from DrWeb.
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Wow sounds like real Nasty crap,Anyways congrats Drweb.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    congratz to drweb for being able to remove this nasty rootkit without even needing to install anything.
    dont need to be a big companie to stop the big threats.
     
    Last edited: May 6, 2008
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I am impressed. Good work Dr Web.:thumb:
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    What I found pretty freaky is how the rookit protected its self from run time changes and utilizes time release reinfections,Nasty but brilliant.That is until the good Drweb came along and was even more brilliant:D
     
  8. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    That was not easy! It took us a few weeks to analyze the rootkit and make a cure...
    Freaky virus, indeed! Luckily those ones are pretty rare now.
     
  9. jdenton

    jdenton Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    47
    I find it pretty amazing how Dr.Web says that this virus went undetected for months because antivirus companies couldn't find a sample. It must've been spreading really slowly and not much of a threat.

    Anyway I'm downloading Dr.Web now to see if it finds anything on my machine.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
  11. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    2,175
    Congratulations to Dr Web
     
  12. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Well I commend the hard work of you brilliant minds,that keep me the not so brilliant safer:D
     
  13. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,286
    Location:
    Las Vegas
    They are working hard for we users. :thumb:
     
  14. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Shame on you, who did not trust the Doctor ! :D
     
  15. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Is Dr Web really the only av that detects this?
     
  16. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Depends on what DrWeb mean by "detects"....


    And it is possible, pratically every AV "x" has samples that "Y" and "Z" will not detect.... but then again, if it has taken them so long to find it, the malware is probably spreading with a very low propogation rate, as jdenton mentioned.
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    What about Rustock.D and Rustock.Z ?
     
  18. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Kasperskt detects and proactively blocks the loading of Rustock with suspicious driver installation warning.
    Kaspersky 7.0 and 2009 will be able to detect hidden files created by Rustock using rootkit scanning and you can disinfect the computer using the rescue CD created with Kaspersky.

    Also a rootkit scan with the best rootkit detectors, gMer and Rootkit Unhooker won't hurt.
     
    Last edited: May 6, 2008
  19. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    I would not be so sure. According to what kaspersky employees say on some russian forums, they don't think this threat is serious and are not going to make a detection, not saying about a cure.

    They won't indeed. But as far as I know none of their public version helps either. Yet.
     
  20. format_c

    format_c Registered Member

    Joined:
    May 6, 2008
    Posts:
    116
    LOL! the real men ain't lookin' for a easy way...
     
  21. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Exactly. Don´t believe the hype.

    We have seen no prove for "millions of infected systems", nobody can check their studies except themselves.
     
  22. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Not adding the threats would rather be a mistake, I mean, the more threats, the better is. However, since Kaspersky 7.0 can detect it proactively, and version 2009 is almost out, this won't be a big risk.
     
  23. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Thanks for quoting me ;)

    I posted that in generalisation of rustock detections..... PDM gives suspicious driver installation for most rootkit loads, however if DrWeb are correct that this is a completely "unknown" threat then there is no way to tell 100% without a sample.
     
  24. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Well, Kaspersky should add the threat. The more, the best. Anyway, it can detect it by proactive defense, so 7.0 and 2009 will have no problems detecting the threat.
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    2009 is going to detect a lot more then the standard stuff you have seen in tests of all vendors. The best is yet to come. Throw away your traditional thinking of a security suite because they just went bye-bye.;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.