W32.SafeSys.Worm VS Returnil

Discussion in 'General Returnil discussions' started by developers, Jul 16, 2009.

Thread Status:
Not open for further replies.
  1. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    I have tested this malware:
    http://news.softpedia.com/news/New-Chinese-Worm-Bypasses-System-Rollback-Software-113677.shtml
    http://blog.bkis.com/?p=707

    and it's able to bypass both Returnil 2008 and Returnil 2010 (latest beta).

    After reboot, the malware is still present in the system partition (c:\safesys.exe is hidden).
    This malware steals password, infect pendrive, disables security software, infec system process (spoolsv.exe, etc) and hides his process.

    It uses SSDT hooking technique, and manages Ftdisk to access at low level.

    I will send this sample to Returnil support tech.

    PS
    This malware bypass also ShadowDefender.

    http://www.pctunerup.com/up/image.php?src=_200907/20090717110122_v1.jpg

    http://www.pctunerup.com/up/image.php?src=_200907/20090717110144_v2.jpg

    http://www.pctunerup.com/up/image.php?src=_200907/20090717110157_v3.jpg

    http://www.pctunerup.com/up//results/_200907/20090717110512_v5a.png
     

    Attached Files:

    • v4a.jpg
      v4a.jpg
      File size:
      151.7 KB
      Views:
      21
    • v6a.jpg
      v6a.jpg
      File size:
      160.8 KB
      Views:
      52
    • v7a.jpg
      v7a.jpg
      File size:
      25.9 KB
      Views:
      13
    • v8.jpg
      v8.jpg
      File size:
      19 KB
      Views:
      1,361
    Last edited: Jul 17, 2009
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. Good work. Any snapshots if possible pls.
     
  3. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi developers,
    We have the sample and its been sent to the team for investigation.

    Mike
     
  4. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    Good work.Thanks.Will this worm send a e-mail to transmit the password that it steals?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the snapshots.
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    My understanding is that you would have to run as Admin to catch this thing. If you run as limited user then the worm can't load the necessary device drivers etc. for direct disk access.

    edit:
    PS: How do you know that the sample you tested writes directly to the disk drive? This sounds pretty far fetched to me. And almost all of the online reports I have read are pretty much just quoting one another rather than presenting actual evidence. Does this thing really exist or is it just a hoax?
     
    Last edited: Jul 18, 2009
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Did you have Returnil's option to wipe after reboot enabled?
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It will not matter.
     
  9. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Delete or erase the virtual partition and make a new one.
     
Thread Status:
Not open for further replies.