Attachments
(22.33 KiB) Downloaded 179 times
Arrogance led me to my Ignorance
Thanks for interesting sample :)
Alex
A forum for reverse engineering, OS internals and malware analysis
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
Very interesting sample.
Very amused to see another MBR rootkit. We'll see if this becomes the next TDL3+ or Mebroot.
Very amused to see another MBR rootkit. We'll see if this becomes the next TDL3+ or Mebroot.
Either sample appears to not be functioning under VirtualBox, or it is completely invisible.
Anyone tried it on VMWare/real machine?
I need to verify the MBR of this VM.
Anyone tried it on VMWare/real machine?
I need to verify the MBR of this VM.
Hi,
I've tried it on VPC and it killed MBR.
Regards.
I've tried it on VPC and it killed MBR.
Regards.
Ring0 - the source of inspiration
Hi Respected Members,
I am very much new here. BTW i am a respected member of Wilders. Today i heard about this Rootkit, so i came here to test it.
BTW can anybody tell me is this Rootkit VM aware or not? Secondly i have saw moderator's post that it managed to kill MBR but whose MBR it managed to kill, VM Machine's or Host Machine? Is it possible to infect Host Machine MBR by running this under VM Machine?
Warm Regards
Avinash
Blog:- http://technonxt.wordpress.com
I am very much new here. BTW i am a respected member of Wilders. Today i heard about this Rootkit, so i came here to test it.
BTW can anybody tell me is this Rootkit VM aware or not? Secondly i have saw moderator's post that it managed to kill MBR but whose MBR it managed to kill, VM Machine's or Host Machine? Is it possible to infect Host Machine MBR by running this under VM Machine?
Warm Regards
Avinash
Blog:- http://technonxt.wordpress.com
Hello and welcome,
2. No.
Regards.
Avinash wrote:Secondly i have saw moderator's post that it managed to kill MBR but whose MBR it managed to kill, VM Machine's or Host Machine? Is it possible to infect Host Machine MBR by running this under VM Machine?1. VM Machine.
2. No.
Regards.
Ring0 - the source of inspiration
Just to make more extensive the answer.
No malware running under a virtual machine (vmware, virtual pc, virtualbox, ...) can write to host if it´s not through a specific exploit for that virtual machine or through a feature like "shared folders" from vmware.
No malware running under a virtual machine (vmware, virtual pc, virtualbox, ...) can write to host if it´s not through a specific exploit for that virtual machine or through a feature like "shared folders" from vmware.
Thank you for the extensive reply.
Tested on VmWare 6.5 with Windows XP SP2. After rebooting I don't see any of infection symptoms (there is nothing suspicious injected into explorer.exe process), GMER and Radix says that MBR is clean, only RootRepeal 1.3.5 shows sth like this:
It is rather a false positive generated by RR. I've ran RR on clean Windows XP and it showed same results...
Alex
It is rather a false positive generated by RR. I've ran RR on clean Windows XP and it showed same results...
Alex
Last edited by Alex on Tue May 04, 2010 12:49 pm, edited 1 time in total.
Reason: false positive
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)