WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Forum for analysis and discussion about malware.
Post Reply
User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Post by rkhunter » Mon Jul 04, 2011 10:25 am

New bootkit with fraud component - browser banner.

Image

VT report: http://www.virustotal.com/file-scan/rep ... 1309773726

Unusual infection method of VBR.
Also successfully working in x64.
DrWeb Beta Scanner successfully cure it.
Mentioned in (while only on Russia) http://forum.drweb.com/index.php?showto ... ntry530621

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by EP_X0FF » Mon Jul 04, 2011 1:42 pm

IntMayak.dll as payload?

fixboot?
Ring0 - the source of inspiration

Blitskrieg
Posts: 20
Joined: Sun Mar 14, 2010 7:22 am

Re: Trojan.Mayachok.2

Post by Blitskrieg » Mon Jul 04, 2011 3:08 pm

Also known as Cidox (Rootkit.Boot.Cidox.a).

Blog post (only in russian now) - http://www.securelist.com/ru/blog/40578 ... FS_razdela

It also can be detected & cured by TDSSKiller (and of course by all our actual AV-products).
Kaspersky Lab

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by rkhunter » Mon Jul 04, 2011 4:39 pm

Yes, bootrec /fixboot for help.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by rkhunter » Mon Jul 04, 2011 4:44 pm

Image
Image

dcmorton
Posts: 30
Joined: Tue Nov 16, 2010 4:56 pm
Location: United States
Contact:

Re: Trojan.Mayachok.2

Post by dcmorton » Wed Jul 06, 2011 2:05 am

Here's the sample referenced in the VT scan.

From the adminus.net 6-25-2011 samples.
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by EP_X0FF » Wed Jul 06, 2011 4:15 am

Thanks for sample.

In attach driver it stores in the first sectors of the disk, payload dll (seems not much changed since IntMayak v1) binded with driver.
CreateProcess, LoadImage notify callbacks in place (firefox.exe opera.exe chrome.exe as targets of dll injection and svchost.exe iexplore.exe firefox.exe opera.exe chrome.exe for x64 version).

Also in attach Mayachok.1 with extracted payload dll.
d:\work\projects\bk2\kloader\Release\i386\kloader.pdb
d:\work\projects\bk2\kloader\Release\amd64\kloader.pdb
Infected volume boot record attached also.

Overall not impressive. :?
Fixboot, Amen.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by EP_X0FF » Wed Jul 06, 2011 9:29 am

x64 driver attached.

This rootkit added to x64 rootkits thread list.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

dcmorton
Posts: 30
Joined: Tue Nov 16, 2010 4:56 pm
Location: United States
Contact:

Re: Trojan.Mayachok.2

Post by dcmorton » Thu Jul 07, 2011 1:09 pm

Here's the earlier mentioned Securelist blog post in English

http://www.securelist.com/en/blog/517/C ... BR_to_NTFS

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by rkhunter » Fri Jul 08, 2011 1:23 pm

Dr.Web Scanner in release detect and cure it.
And new research paper about technical detail of Mayachok.2 (till only in Russia) -
http://news.drweb.com/?i=1772&c=23&lng=ru&p=0

Post Reply