What type of malware does this...?

Discussion in 'malware problems & news' started by Victek, Sep 8, 2009.

Thread Status:
Not open for further replies.
  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    I worked on a PC today and was unsuccessful in cleaning it. Although the computer booted properly and could connect to the internet the malware was able to instantly kill every anti-malware application I installed the moment it executed. Specifically, it killed MBAM, Hitman Pro, SAS, Prevx 3.0 and the F-Secure Online scanner. And by "killed" I don't just mean terminating the process, I mean the executable files were destroyed - amazing. I couldn't even boot the system with a UBCD4WIN rescue disc - the computer would just blue screen. Unfortunately I can't take the PC away and try to figure it out, but I would like to know what type of malware does this, and which (if any) anti-malware programs can deal with it.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Seems a rootkit, just a guess but I am almost sure. You need to scan the drive after attaching it to another PC.
     
  3. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Thats very interesting.
    Have you tried renaming the MBAM .exe file and then running it ?
    It might be blocking and deleting any new exe's from running.

    That the bootup disk doesn't work , would suggest a strong rootkit.

    please let us know how you get on.

    You could try gmer as well , and rename it.
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    If it is bluescreening your boot media, wouldn't that mean that it has something in the BIOS or RAM?
    What if you remove or disable the HDD, does it still bluescreen your UBCD4WIN?
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  6. simisg

    simisg Registered Member

    Joined:
    Nov 6, 2008
    Posts:
    410
    Location:
    Greece
    try to boot with kaspersky rescue or drweb .... can you boot in safe mode?
    maybe is a boot and file infector and you must format the disk...
    if you can boot in safe mode try RegRun Reanimator
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That PC sound very much like the one I'm working on now, XP-Home. It had SAS and AntiVir installed, both killed. No task manager, regedit, or other tools. Trying to use safe mode causes a BSOD. Multiple popup errors for most every process. Fake Windows security center. Too many symptoms to list. No tools of value would run from within Windows. The only way I could find to clean it was to install the HD as a slave on another PC. Regarding your original question, I haven't narrowed it down yet. Scanning with AntiVir from another OS yielded 93 trojan files. MBAM found almost as many more. SAS found another 13. An online Housecall scan found 3 more, even after running all the others. I don't have access to the OS I scanned with at the moment, but I did see several rootkit drivers in the lists, including Rustock. When I have time, I'll install that drive and pull up the lists of captured files.

    If your PC is anything like this one, cleaning is only part of the problem. I reinstalled the HD and booted. Almost nothing worked. I couldn't launch any 3rd party software of any kind. Kept getting the "what do you want to open this with..." screen. Explorer couldn't launch anything. Couldn't start anything with "Run" either. Rundl32 wouldn't work. The PC appeared to be connected to the net but IE8 couldn't get to any site. FF wouldn't start at all, same "open with" message. Still no access to the registry or task manager. Scripts that are supposed to fix that problem don't work.

    The restore partition was undamaged. The only way I could make it start was with a custom made boot disk. Couldn't even save their data. This PC had an up to date AV and was kept updated on patches, including IE8. SAS ran daily. K-Meleon was installed as default. Most of the people there used it, but not all. This PC is a perfect example of the shortcomings of the conventional approach to security. Fully patched, up to date on system and AV, reasonably careful users, and one malicious page killed everything and wiped out the system beyong fixing. They're getting it back with full default-deny in place.
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    .
    Thanks for the detailed example. I wonder though about the "reasonably careful" users. It's been my experience that severely infected machines get that way with a lot of help from users. Typically they are teenagers who use Limewire and other P2P software to download free music, surf for porn, etc. I know these days it's possible to inject malicious code into normally safe websites and people can get infected without looking for trouble, but this still seems like the exception not the rule. What do you think?
    .
    Regarding the OS being fully patched and the AV updated, I would like to believe that they are not all created equal. To date I have not come across a severely infected system running Vista - they are all running XP. I have seen plenty of examples of a fully updated AV being either unable to detect or remove malware that is immediately found and removed by MBAM or SAS. Specific brands come to mind, but I don't wish to slam them with only anecdotal evidence.
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I can't comment on Vista and any resistance it may have. XP is vulnerable unless steps are taken to change that. The users of this PC are all over 25. Most are over 30. I'd cleaned a PC for them before so they are basically aware of the risks of certain activities. Unless someone else was using it at the time, I'd be surprised if they were doing something unsafe deliberately.

    I'd serviced this PC less than one month ago. Other than a few bundled toolbars, there was nothing unusual on it. There was no P2P installed. I couldn't access the history to determine where or who the problem started with. In hindsight, I wish I had cloned that infected system before starting over. As for the AV, AntiVir has performed well on the systems I've installed it on, until this one.
     
  10. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    I done that the other day, broke the .exe association trying to make my own custom context menus that pass parameters to various programs. :blink:

    On this page he's got .reg files you can download and double click to add it to the registry and restore the association. Not sure if it will work with the state of your machine, but it restored mine perfectly.

    Maybe worth a shot.
     
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Thanks for the link. I doubt it would have worked on this PC. Some of the scripts I had were .reg format and I couldn't execute them. Whatever the malware was, it defended itself well and covered all the bases.
     
  12. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    Sounds like a new virut variant. Or it could be some sort of blended threat. Anyway try this:

    http://www.raymond.cc/blog/archives...ne-single-disc-or-usb-flash-drive-with-sardu/
     
Loading...
Thread Status:
Not open for further replies.