[StamilT]

Hi.
There is a new modification of Mayachok.2 or Boot.Cidox.
VBR VT (1/43).
Microsoft TrojanDropper:Win32/Rovnix.B

Droppers:
VT (18/43)
VT (19/43)

TDSSKiller detects an anomaly:

Tuluka detects "IRP handler hooked"

[rkhunter]

Hi.
There is a new modification of Mayachok.2 or Boot.Cidox.

Hi, StamilT. Thank you for the droppers :)

[Blitskrieg]

Hello. We released detect & cure for VBR today - Rootkit.Boot.Cidox.b:


TDSSKiller with named detection is available by the following URL - ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe

[rkhunter]

Hi, Blitskrieg. What new in this version? Can you tell?

[Blitskrieg]

Hi, Blitskrieg. What new in this version? Can you tell?

I'm still analyzing it. But the main new feature - VBR rewrite prevention by IRP_MJ_SCSI hook (it is strange, but read is not blocked or forged).

[StamilT]

By the way, PowerToolV4.2 utility "hangs" when scans VBR :D

[gjf]

Mikhail Kasimov reported, that only TDSS Killer and VBA32 Antirootkit were able to detect the latest Cidox. By the way RkU and Gmer failed.
EP_X0FF, are you planning to continue work on RkU or the project is fully freezed?

[gjf]

TDSSKiller with named detection is available by the following URL - ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe

Now everybody knows your SuperSecret Password, Yuriy :)
Is this version already in public?

[rkhunter]

TDSS Killer and VBA Ark have a special features for detect malicious VBR. I don't remember that Rku has such feature too, also since summer of last year when first Cidox were.

[Blitskrieg]

TDSSKiller with named detection is available by the following URL - ftp://SLArchive-ro:vOs1onEcsM@data6.kas ... Killer.exe

Now everybody knows your SuperSecret Password, Yuriy :)
Is this version already in public?

No, this is public password for read-only access. This version will be available on support.kaspersky.com tomorrow.