Smitnyl - MBR infector - KernelMode.info

Smitnyl - MBR infector

#5117 by gjf
Sun Feb 20, 2011 3:54 pm

Quite interesting information about something like combination of bootkit and file infector.
Does someone have a dropper of this?

VirusInfo / Defendium / SafeZone Helpers Crew

Username

gjf

Posts

198

Joined

Mon Mar 15, 2010 10:23 am

Location

Where I lay my head is home

Contact

Re: Smitnyl - MBR infector

#5119 by cjbi
Sun Feb 20, 2011 4:40 pm

Here is a sample.

Download URL
hxxp://pp.vv49.com/mr/systm.exe

VirusTotal result(s)
http://www.virustotal.com/file-scan/rep ... 1298219700

Attachments

Smitnyl.A.zip

pass: malware
(10.87 KiB) Downloaded 159 times

Username

cjbi

Posts

92

Joined

Sun Mar 14, 2010 7:16 am

Re: Smitnyl - MBR infector

#5134 by gjf
Tue Feb 22, 2011 10:59 am

It should be noted, because it was not obvious from F-Secure post, that fake explrer.exe (downloader) starts, downloads some stuff (in my case it was hxxp://xc.115.bz/tools.exe) and then exits. So without checking userinit.exe and MBR it is not possible to find the way where malware comes in. Actually even userint.exe check will not help because MBR will restore infection on next boot.

VirusInfo / Defendium / SafeZone Helpers Crew

Username

gjf

Posts

198

Joined

Mon Mar 15, 2010 10:23 am

Location

Where I lay my head is home

Contact