WinNT/Rovnix (alias Mayachok, Cidox, BkLoader)

Forum for analysis and discussion about malware.
StamilT
Posts: 3
Joined: Tue Feb 07, 2012 4:36 pm

Re: Trojan.Mayachok.2

Post by StamilT » Sat Feb 11, 2012 3:23 pm

Hi.
There is a new modification of Mayachok.2 or Boot.Cidox.
VBR VT (1/43).
Microsoft TrojanDropper:Win32/Rovnix.B

Droppers:
VT (18/43)
VT (19/43)

TDSSKiller detects an anomaly:
Image
Tuluka detects "IRP handler hooked"
Image
Image
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by rkhunter » Sat Feb 11, 2012 3:37 pm

StamilT wrote:Hi.
There is a new modification of Mayachok.2 or Boot.Cidox.
Hi, StamilT. Thank you for the droppers :)

Blitskrieg
Posts: 20
Joined: Sun Mar 14, 2010 7:22 am

Re: Trojan.Mayachok.2

Post by Blitskrieg » Sat Feb 11, 2012 4:58 pm

Hello. We released detect & cure for VBR today - Rootkit.Boot.Cidox.b:
Image

TDSSKiller with named detection is available by the following URL - ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe
Kaspersky Lab

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by rkhunter » Sat Feb 11, 2012 5:14 pm

Hi, Blitskrieg. What new in this version? Can you tell?

Blitskrieg
Posts: 20
Joined: Sun Mar 14, 2010 7:22 am

Re: Trojan.Mayachok.2

Post by Blitskrieg » Sat Feb 11, 2012 5:19 pm

rkhunter wrote:Hi, Blitskrieg. What new in this version? Can you tell?
I'm still analyzing it. But the main new feature - VBR rewrite prevention by IRP_MJ_SCSI hook (it is strange, but read is not blocked or forged).
Kaspersky Lab

StamilT
Posts: 3
Joined: Tue Feb 07, 2012 4:36 pm

Re: Trojan.Mayachok.2

Post by StamilT » Sat Feb 11, 2012 5:45 pm

By the way, PowerToolV4.2 utility "hangs" when scans VBR :D

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Trojan.Mayachok.2

Post by gjf » Sun Feb 12, 2012 1:41 pm

Mikhail Kasimov reported, that only TDSS Killer and VBA32 Antirootkit were able to detect the latest Cidox. By the way RkU and Gmer failed.
EP_X0FF, are you planning to continue work on RkU or the project is fully freezed?
VirusInfo / Defendium / SafeZone Helpers Crew

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: Trojan.Mayachok.2

Post by gjf » Sun Feb 12, 2012 1:45 pm

Blitskrieg wrote: TDSSKiller with named detection is available by the following URL - ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe
Now everybody knows your SuperSecret Password, Yuriy :)
Is this version already in public?
VirusInfo / Defendium / SafeZone Helpers Crew

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Trojan.Mayachok.2

Post by rkhunter » Sun Feb 12, 2012 1:52 pm

TDSS Killer and VBA Ark have a special features for detect malicious VBR. I don't remember that Rku has such feature too, also since summer of last year when first Cidox were.

Blitskrieg
Posts: 20
Joined: Sun Mar 14, 2010 7:22 am

Re: Trojan.Mayachok.2

Post by Blitskrieg » Sun Feb 12, 2012 4:05 pm

gjf wrote:
Blitskrieg wrote: TDSSKiller with named detection is available by the following URL - ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe
Now everybody knows your SuperSecret Password, Yuriy :)
Is this version already in public?
No, this is public password for read-only access. This version will be available on support.kaspersky.com tomorrow.
Kaspersky Lab

Post Reply