Search found 197 matches

by gjf
Wed Mar 17, 2010 12:14 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 320642

WinLocker with some rootkit technology

Dear All! Could you please help in analysis of the following: hxxp://www.mediafire.com/?wgxtxmyybiy hxxp://www.mediafire.com/?zzjmjmzorln (possibly the same just repacked versions) What is this - it's a malware which locks the Windows requesting sms for unlocking. We have a huge amount of such malwa...
by gjf
Mon Mar 15, 2010 8:19 pm
Forum: Malware
Topic: Rustock
Replies: 28
Views: 37201

Re: Nixoa/Bubnix Rootkit

This rootkit is already well studied, some info here and here . If I remeber correctly I removed this rootkit using Gmer without any problem. "Boot Bus Extender" is quite special name for this. Concerning the subj - the rootkit dies because manual installation I believe. Dropper could solve the prob...
by gjf
Mon Mar 15, 2010 4:28 pm
Forum: Malware
Topic: WinNT/BlackEnergy
Replies: 38
Views: 59405

Re: Black Energy 2.1+

Hi, Original kernel service table stays untouched, so there is nothing to dispay :) Each thread can have it's own service table because of pointer in ETHREAD. This is done by original NT architecture and we can't change that. Public RkU will however find and show your this faking at Stealth Code pa...
by gjf
Mon Mar 15, 2010 3:56 pm
Forum: Malware
Topic: WinNT/BlackEnergy
Replies: 38
Views: 59405

Re: Black Energy 2.1+

This method gives enough stealth level and it is comfortable. As in fact, SSDT wasn’t modified and major rootkit detectors will fail find and remove rootkit hooks.
So - no way to live any further? 8-) Even RkU cannot see it? ;)
by gjf
Mon Mar 15, 2010 3:46 pm
Forum: Malware
Topic: Rootkit ZeroAccess (alias MaxPlus, Sirefef)
Replies: 374
Views: 320642

Re: Rootkit ZeroAccess (aka MAX++)

Could you please provide more info concerning detection and removal? I know VBA32 removes it, but nope concerning detection specs and some other tools to help.
by gjf
Mon Mar 15, 2010 10:52 am
Forum: Malware
Topic: Rootkit 4DW4R3 (TDL 2 clone)
Replies: 5
Views: 11011

Re: Rootkit 4DW4R3 (TDL 2 clone)

"TDL2 Clone" - does it mean the standard detection/removal tools for TDSS can be used? Actually TDL2 could be easily detected and removed using Gmer (and even AVZ but with Gmer information of course).
by gjf
Mon Mar 15, 2010 10:46 am
Forum: Malware
Topic: Rootkit TDL 3 (alias TDSS, Alureon.CT, Olmarik)
Replies: 395
Views: 279582

Re: Rootkit TDL 3 (alias TDSS, Alureon)

Actually you don't even need to store original atapi.sys because it is almost similar for all SPs of Windows (but possibly different for XP-Vista-Seven). I have an infection yesterday (quite stupid - just testing new Tdss.ayec). Looks like that version don't love my system (SPTD conflict???) so it d...