Worm bypassing GesWall, CFP, MD ?

Ok, I found this interesting worm on a friends heavily infected PC.

It creates autorun.inf files to infect all partitions, drives and USB sticks and makes its copies here n there and acts as a file infector too. Connects out as well.

A very interesting feature is that this worm minimizes or hides working windows/ GUI of many security software and system analysis tools like MBAM, CFP configuration windows, Process Explorer, Gmer and many others. On the infected system I was unable to run any system analysis tools or antimalware except HitmaPro, SAS Portable and Panda Cloud AV. It stopped me from using MBAM, Gmer, Process Explorer, ThreatFire and some other tools.

Ok, what is the bypass:

1- For CFP and MD, it,s a partial bypass. Once allowed to execute and make its copies CPF and MD can,t intercept and stop the worm from hiding the windows/ GUI of Process Explorer and some other toools/ software. It,s very interesting as I remember not long ago, there was a POC discussed here which was able to hide GUI of any application and almost all HIPS at that time failed to intercept this behavior. It,s very interesting to see such behavior in a malware that is infact in the wild.

2- More interesting, I run the worm as untrusted inside GesWall. Still it was able to hide/ minimize the GUI of ProcesssExplorer running as trusted.
SBIE handled this well. I was not able to test DW though.

 

What was the worm identified as by the tools that you were able to run? Were you successful in cleaning the pc? How?

Very interesting find.

 

Aigle, can you give me the link?

 

I tested it on XP SP2 under Returnil. Worm name is Mabezat. PC is now formatted with a fresh install of Ubuntu as a cure for repeated life threatening infections. My friends kids are incurable I think and they have a Vista laptop already so I put Ubuntu on desktop. I am going to encourage them to get this desktop infected now.

 

some info here...http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus:Win32/Mabezat.B

 

Impressive worm. It will also copy itself to a cd when a disc is burned. This worm could wreak havoc on most commercial lans I've been on.

 

Yeah really impressive one man hope there would have been portable of MBAM

 

so only sbie can handle this at the moment?..

 

No, many can. It,s detected by almost all of AVs on VT. HIPS will stop it. GesWall has partial bypass otherwise worm is contained and will not survive a reboot, also GW gives a lot of Attack notifications with the worm that will warn the user.

It,s just a very interesting partial bypass for many HIPS n GesWall. Once we saw it in a POC, now in a real malware.

 

Just wondering if anyone tried this worm with OA or DW?

 

Yes, I did.

 

And were you happy with the result? (simple Yes or No will do)

 

Yes, I was happy.

 

Thanks Ilya.

 

Yeah thanks Ilya, this is good news.

 

I'd like to see the results against ThreatFire + Windows Defender - in those two I trust.

 

DW 3 0r DW 2.56 or both?

 

Threatfire I do not know but Windows Defender will not stop it.

 

I've tested it against 3.0 version as, anyway, the RC is very close.

 

Yeah, I meant those two at the same time - Windows Defender can sometimes detect things with its HIPS that are useful.

 

Here was a bit similar POC.

https://www.wilderssecurity.com/showthread.php?t=229609