System Virginity Verifier

I wish I had this program before I started dating my current girlfriend.

 

yes. drop to command line. then it's obvious.

 

In case some don't know much about the command line, here is a simple way to run it.

If you saved the folder to desktop and are lazy about typing like me, right click on it and rename it SVV.

Then go to assessories, command prompt., open the DOS window.

Type cd desktop\svv

type svv

you will then get a list of switches such as /a ect.

type svv check or type svv check /and a switch such as a.

use a space after svv and before the switch, such as

svv(space)check(space)/a

I think you can make an autoexec.bat file to run it at boot. Not sure I have not tried it yet.

If you are running a program such as deep freeze, shadowuser, or windows shared tookkit, You may see errors.

In my case I can only run svv one time, then need to reboot to run it again.

controler

 

Thanks Controller for these instructions. Many people here started using computers after the windows er, so they are not comfortable with using the command line.

 

yes and I am happy at times to go back to the DOS prompt and look around.
It is like another world I am in.

You can still go to DOS and type Help to see all the commands.
Even tree still works. I sure remember the days of XTREE though LOL

Then if you hit the up arrow key, you don't have to retype the commands.
If you keep hitting the up arrow, you view all the commands you were typing.

I think that is because DOSKEY loads with windows these days.

I wonder if FC would work on registry entries?

controler

 

Hi controler,

Sorry for not getting back to you sooner. The SSDT view showed nothing unusual, but, today, I looked more closely at the Kernel Module view and saw a module with the following path: \??\C:\DOCUME~1\*****\LOCALS~1\Temp\mc22.tmp. The SVV output I posted above included something similar: mc211.tmp (f8c5a000 - f8c5b000)... Image file not found!. The mc2*.tmp naming convention is well known to be related to madshi's madCodeHook DLL injection.

This was confirmed by installing/running RegDefend, which alerted to the following at startup:

11:39:33 | Create Key | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | | swdoctor.exe
c:\program files\spyware doctor\swdoctor.exe
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
HKLM\System\Controlset001\Services\Mchinjdrv

11:39:38 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | start | swdoctor.exe
c:\program files\spyware doctor\swdoctor.exe
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
start
[REG_DWORD] 4 (0x00000004)

11:39:43 | Set Value | Allowed [User] | HKLM\System\Controlset001\Services\Mchinjdrv | imagepath | swdoctor.exe
c:\program files\spyware doctor\swdoctor.exe
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
HKLM\System\Controlset001\Services\Mchinjdrv
imagepath
[REG_SZ] \??\C:\DOCUME~1\*****\LOCALS~1\Temp\mc22.tmp

Note that it is Spyware Doctor (swdoctor.exe) installing the driver. After removing Spyware Doctor, SVV's output looked like this:

C:\svv>svv check /a
ntoskrnl.exe (804d7000 - 806eb780)...
Null.SYS (f8bff000 - f8c00000)... error code = 0x490
mnmdd.SYS (f8a1e000 - f8a20000)... error code = 0x490
RDPCDD.sys (f8a20000 - f8a22000)... error code = 0x490
dump_atapi.sys (f288c000 - f28a4000)... Image file not found!
dump_WMILIB.SYS (f8a22000 - f8a24000)... Image file not found!

SYSTEM INFECTION LEVEL: 2
0 - BLUE
1 - GREEN
--> 2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

I suppose you could call this a false positive similar to what Pete is seeing (given that, I have read, Online Armor uses madshi's tools as well). What troubles me is that I no longer see any McAfee errors (such as Viruscan being occasionally disabled) after uninstalling Spyware Doctor.

Nick

 

Hi Pete,

It might be unknown now, but I suspect it may eventually become more mainstream. If you monitor the registry (in my case, with RegDefend), you will catch SVV creating (and later deleting) a temporary service. Note the Arcabit in the service name...

21:38:32 | Create Key | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | | services.exe
HKLM\System\Controlset001\Services\Arcabitsvv

21:38:32 | Set Value | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | imagepath | services.exe
HKLM\System\Controlset001\Services\Arcabitsvv
imagepath
[REG_EXPAND_SZ] \??\C:\svv\svv.sys

21:38:32 | Delete Key | Allowed | HKLM\System\Controlset001\Services\Arcabitsvv | | services.exe
HKLM\System\Controlset001\Services\Arcabitsvv

Nick

 

I get the same results with KIS on my test box.

SVV

Process is trying to modify value ImagePath in controlled registry key.
or
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ArcaBitSVV



\??\C:\Documents and Settings\controler\Desktop\svv\svv.sys


Attempt of process C:\WINDOWS\system32\services.exe (PID: 584) to perform suspicios actions was denied. 10/15/2005 10:38:06 PM

 

System Virginity Verifier SVV 1.1 released

2005-11-05 SVV 1.1 released: fixed some minor bugs and false positives.

System Virginity Verifier

The idea behind SVV is to check important Windows System components, which are usually altered by various stealth malware, in order to ensure system integrity and to discovery potential system compromise.

SVV 1.0 implements only code virginity verification which is the first step in SVV implementation and its task is to ensure the integrity of the code sections of in-memory mapped kernel and usermode modules (that is kernel drivers and usermode DLLs).

See the presentation for more details.

changelog

1.1a [05/11/2005]
- "Important modules not found" is now *really* _warn()

1.1 [01/11/2005]
- kernel module: MmUnlockPages() wasn't called sometimes
- fixed off-by-one in call to relocBuffer() (it sometimes caused heap corrpution)
- fixed unloadDriver() to not crash when called when SVV is unitialized
- "Important modules not found" is now _warn() instead of _error()
- also fixed problem with "ntoskrnl.exe not found" displayed on some systems
- isJMPingCode(): added CALL decoding
- do not use heuristics for locating original SDT when current SDT inside .text section of ntosktnl
- report functionality enabled in public version

Freeware

http://invisiblethings.org/tools.html#svv


StevieO

 

Re: System Virginity Verifier SVV 1.1 released

How do you actually get it to run.Click on the exe just flashes up a dos box for a nano then nothing.Same as the older version.

 

Re: System Virginity Verifier SVV 1.1 released

It's a commandline tool. It doesn't have a GUI interface. Open up a command windows and change to the directory where you extracted the program. Type svv and press return. You will get the syntax to run the program. To get started try typeing without the quotes "svv check"

 

Re: System Virginity Verifier SVV 1.1 released

In case some don't know much about the command line, here is a simple way to run it.

If you saved the folder to desktop and are lazy about typing like me, right click on it and rename it SVV.

Then go to assessories, command prompt., open the DOS window.

Type cd desktop\svv

type svv

you will then get a list of switches such as /a ect.

type svv check or type svv check /and a switch such as a.

use a space after svv and before the switch, such as

svv(space)check(space)/a

 

Re: System Virginity Verifier SVV 1.1 released

OK,thanks fellas,will give it a go.

 

Re: System Virginity Verifier SVV 1.1 released

Is this another proof of concept?


Or is it going somewhere?

 

Not convinced. 5 Deepred's on a new pc with Sygate, BOClean and KAV5 + NOD32(on-demand). Plus disabled UPnP, DCOM and Messenger before even connecting to the net. I've only gone to a handful of websites, all totally legit. Here, BBR, BBC.co.uk, Play.com and amazon.co.uk
So the chances i could pick up a rootkit is as pretty close to zero as you can get. So do i believe what it tells me and i delete Kernel.dll and ntoskrnl.exe Do you think my pc will be cured? Broke, but not cured i'm sure.

Because i'm slightly paranoid, curiosity got the better of me and i ran Rootkit Revealer and it says i'm clean. I've been trying Unhackme a couple of days also and that says i'm clean too.

No, i'm definitely not convinced by SVV. But it's a new app and i'm positive they are FP's. Still i'll keep an eye on this app and maybe try it again sometime.

muf

 

muf ? have you shut down all your other security apps before running SVV?

Then you can try the new hookanlz.exe posted else where in this forum to see what is hooking the kernel.

Like the man says, kernel hooking has to be still done by some security software

controler

 

Hello,
That does not justify the code 5 flag.
I tried the same on a fresh machine I installed and configured myself and got the same deepred warning. I do not approve. This means valid and legal hooks are misinterpreted as malware. Not good. Besides, I don't want to kill every secuirrty apps I have and run only 14.33 processes to make sure the tool works properly. There are about a trillion security configurations. And each one will give a different result then? The tool has to be universal. Run on all platforms regardless of what is installed.
Or perhaps in safe mode?
Mrk

 

Mrkvonic

I only gave that advice so that you can see what else is hooking. Your regular windows config won't show deep red ever. Only if you have other kernel touching things installed.
You are correct SVV is not for the home user and may never be. She may leave it as just another proof of concept. She may sell it. you just never know.
Why wouldn't you dare run SVV with your other security stuff dissabled? If unhook your internet cable, you can't get hurt, unless you don't trust the app (SVV). I have asked Johanna what her plans for SVV where but never did get a complete answer and that is her buisness anyways.
If she does post at Wilders, it is anon. Like DA mentioned, she posts at the rootykit site but might think she is too good for Wilders.

Mrkvonic ? Do you like to test alot of software or did you fear you have a rootkit?


controler

 

Hi,
First, I'm not afraid of getting infected.
I did not disable the security software on purpose. I wanted to see how this program fares with a standard windows installation plus anti-virus, some anti-spyware, firewall etc. My findings are not good. I have discovered that your average home computer returns a deepred code without anything being compromised on it.
Imagine someone with less confidence using this tool - BOOM, deepred. He's already running 14 security programs. And yet, this little tool indicates he's rooted deeply deeply. So he formats. Installs again. Tries it, BOOM, deepred. A diagnostics tool should never give a warning like that in normal circumstances. And I mean normal, because I think 90% + of all users run anti-virus and firewall.
Therefore, a security tool should be able to give 0 false positives when running in usual environment or it should be run in a special environment. Special requires very precise definitions - like safe mode for example. It should never be up to a user to disable his firewall, anti-virus, system restore, registry, whatever ... to be able to get trustworthy results. What if you forget some process or application? What if? What if?
Take an average anti-spyware for instance. Spybot. You don't need to shut off any process or anything before running it. Now, the comparison is not fair, I know. Therefore, then the SVV should not be more than an information tool. Not a diagnostics, and certainly not a repair tool.
Did you read the svv presentation? It says, if you got code 5 = infected! Not true.
Diagnostics and repair demand far more accuracy than just objective information.
And therefore, the tool should be run with very specific instructions or none at all, but with true results in both circumstances.
This tool is not for home users at all. If you don't know how kernel works, you shouldn't meddle with it. If you DO, you don't need svv ...
One more thing: People trust dry artificial intelligence results from their scanner bots too seriously. They get a flag they are infected and they start to panic. Not the right course of action.
People who are not sure if they are infected or not do not use their computers properly. If you're not sure, no scanner is good for you.
I had false positives with several programs in recent months and years. I never erased the keys and values and files the scanners found. Why? Because I know that what they found are not infections. Even without looking at the actual keys and files. And true, when I sent these finding to the respective companies, they proved false positives.
Getting your computer infected requires an effort. A deliberate effort.
I wanted to test svv on a clean machine to reduce any slightest doubt as to the cleanness (virginity) of the test machine. I'm not saying the tool is not good. On the contrary. But not for average users. It's too dangerous for average users.
And finally, I like to test software, some if it, anyway. The interesting ones.
And I did not fear rootkit. Not sony or anything else. Not that I would ever buy the Bolshevik-branded DRM music.
I repeat: computers are dumb machines. No matter what happens you can always format. Or replace hard disk. Nothing you cannot live without. Just dumb sweet machines.
Mrk

 

Well i retried it with all my security apps shut down and the deepred's went from 5 to 1. So i zipped up the Kernel32.dll file that it was reporting and sent it to Kevin McAleavey(BOClean) because i value his opinion and diagnostic. He says it's (in his words) "peachy". So it apears not to be rootkitted.

As i said earlier. One app to look out for but in it's current incarnation it could get people to hose their systems believing in what it says. Worrying.

muf

 

Yes, any scanner that ever produces a false positive is not recommended for newbies. Or anyone else for that matter.

This list includes spybot,adaware,cwshredder all antiviruses etc etc.

 

Hi,
You really ARE the devil's advocate!
BTW, are you Pachino or Reeeves?
Apropos false positives, I never had one with spybot, anti-virii or adaware, yes I did with cwshredder. However, still, removing those fps would be a game compared to removing your kernel dlls.
Mrk

 

Do any of these apps find rootkits? There is a big difference.


controler