[EP_X0FF]

I believe this is simple bug. VmWare scsi driver incompatible with SCSI requests used by RootRepeal. In my tests it always list first sectors, because it simple can't read them through vmware miniport driver.

[wealllbe20]

does this simple tool remedy the malware:

http://www.esagelab.com/resources.php?n=4

[Cr4sh]

does this simple tool remedy the malware:

http://www.esagelab.com/resources.php?n=4

This Remover uses SPTI for disk I/O, that can be hooked by malware in easy way, but I did'nt saw such hooks in known bootkits.

[gjf]

VMWare - cannot boot because of MBR damage. Chance to load last successful / Safe Mode and with any choose - again and again.

[t4L]

I believe other passthru IOCTL is enough to detect this creature.

[__Genius__]

Hmm, I'm confusing about the password of malware zip file that is attached in the first post :!:

[gjf]

Try one of the following:
malware
infected
virus

Actually I am using a script with these standard ones and have no idea which exactly worked well :)

[__Genius__]

Yes, it's "infected".
vt result : 32/41

Code: Select all

http://www.virustotal.com/analisis/464d963f698ee0a385a983c5b88b1c2ba3243ebb776e8f205def48d7aac348d7-1273191636

seems not stealth as well in case of real-time file system scan with anti-virus systems.

[obse]

Yes, it's "infected".
vt result : 32/41

Code: Select all

http://www.virustotal.com/analisis/464d963f698ee0a385a983c5b88b1c2ba3243ebb776e8f205def48d7aac348d7-1273191636

seems not stealth as well in case of real-time file system scan with anti-virus systems.

it's stealth... but you have to wait about 3 minutes when it activate rootkit :)
authors trying to hook ObpParseSymbolicLink (not on all systems they have success) and this is critical for OS, so they didn't found "good" solution and
set timeout to give a chance to system to initialize self :)

[__Genius__]

BTW, is there any solution to getting rid of this MBR Rootkit ?