A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11557  by rkhunter
 Sat Feb 11, 2012 3:37 pm
StamilT wrote:Hi.
There is a new modification of Mayachok.2 or Boot.Cidox.
Hi, StamilT. Thank you for the droppers :)
 #11559  by rkhunter
 Sat Feb 11, 2012 5:14 pm
Hi, Blitskrieg. What new in this version? Can you tell?
 #11562  by Blitskrieg
 Sat Feb 11, 2012 5:19 pm
rkhunter wrote:Hi, Blitskrieg. What new in this version? Can you tell?
I'm still analyzing it. But the main new feature - VBR rewrite prevention by IRP_MJ_SCSI hook (it is strange, but read is not blocked or forged).
 #11574  by gjf
 Sun Feb 12, 2012 1:41 pm
Mikhail Kasimov reported, that only TDSS Killer and VBA32 Antirootkit were able to detect the latest Cidox. By the way RkU and Gmer failed.
EP_X0FF, are you planning to continue work on RkU or the project is fully freezed?
 #11576  by rkhunter
 Sun Feb 12, 2012 1:52 pm
TDSS Killer and VBA Ark have a special features for detect malicious VBR. I don't remember that Rku has such feature too, also since summer of last year when first Cidox were.
 #11578  by Blitskrieg
 Sun Feb 12, 2012 4:05 pm
gjf wrote:
Blitskrieg wrote: TDSSKiller with named detection is available by the following URL - ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe
Now everybody knows your SuperSecret Password, Yuriy :)
Is this version already in public?
No, this is public password for read-only access. This version will be available on support.kaspersky.com tomorrow.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 9