<<> wrote::arrow: http://blogs.avg.com/news-threats/ime-i ... evolution/LOL
A forum for reverse engineering, OS internals and malware analysis
AVG detects it as Wapomi.F
Some info http://blogs.avg.com/news-threats/int-1 ... omi-sample
Some info http://blogs.avg.com/news-threats/int-1 ... omi-sample
Microsoft and many others detect this as Jadtre. Pretty interesting rootkit with worm like activities.
Fresh Guntior dropper.
Code changed & added.
VirusTotal result(s)
1.exe.vir 28/42 https://www.virustotal.com/file/ab43046 ... 345829437/
Code changed & added.
VirusTotal result(s)
1.exe.vir 28/42 https://www.virustotal.com/file/ab43046 ... 345829437/
Attachments
pw: infected
(96.79 KiB) Downloaded 80 times
(96.79 KiB) Downloaded 80 times
cjbi wrote:Code changed & added.Can someone go into some detail on what has changed?
VirusTotal result(s)
1.exe.vir 28/42 https://www.virustotal.com/file/ab43046 ... 345829437/
There are only few changes, nothing special:
Malware also hooks DriverStartIo of miniport driver if exists and that's all.
Code: Select all
Now it hooks four services: ZwLoadDriver, ZwSetSystemInformation, ZwSetValueKey, ZwReadFile. Hooks of ZwLoadDriver, ZwSetSystemInformation(SystemExtendServiceTableInformation) compare names of loaded modules with a short list:
C:\sys.pdb -> D:\new2DNet\Rocket\Product\Rdrv.pdbCode: Select all
If one of these modules will be detected, malware stops loading driver. ZwSetValueKey hook blocks seting values of two key paths: "Services\\BC" and "Services\\MiniKill". ZwReadFile hook blocks access to "sfc_os.dll".ksapi.sys
kisknl.sys
skvkrpr.sys
minidb.sys
bc.sys
bapidrv.sys
beepmbr.sys
findandfixbiosvirus.sysMalware also hooks DriverStartIo of miniport driver if exists and that's all.
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
Fresh Guntior dropper.
VirusTotal result(s)
malware.exe.vir 21/43 https://www.virustotal.com/file/a7e047a ... 348056419/
VirusTotal result(s)
malware.exe.vir 21/43 https://www.virustotal.com/file/a7e047a ... 348056419/
Attachments
pw: infected
(96.93 KiB) Downloaded 91 times
(96.93 KiB) Downloaded 91 times
Guntior bootkit is still alive.
Fresh dropper & payloads attached.
Final payload is Delphi coded PbBot.
VirusTotal result(s)
ACE.exe.vir (Guntior bootkit dropper) 15/45 https://www.virustotal.com/file/600b149 ... 360490557/
syslog.exe.vir (Delphi coded PbBot) 24/45 https://www.virustotal.com/file/7bdf546 ... 360491763/
Fresh dropper & payloads attached.
Final payload is Delphi coded PbBot.
VirusTotal result(s)
ACE.exe.vir (Guntior bootkit dropper) 15/45 https://www.virustotal.com/file/600b149 ... 360490557/
syslog.exe.vir (Delphi coded PbBot) 24/45 https://www.virustotal.com/file/7bdf546 ... 360491763/
Attachments
pw: infected
(1.11 MiB) Downloaded 87 times
(1.11 MiB) Downloaded 87 times
Fresh Sample Wapomi/Jadtre/Qvod
VT: 40/46
MD5: 67953f8946d9b1a7865866ed403618ed
https://www.virustotal.com/en/file/5937 ... /analysis/
EDIT: Does anyone know of a tool to disinfect this? I have been looking but not successfully. Many AV tools can find and delete the infected files, but is OS reinstall the only viable option here?
VT: 40/46
MD5: 67953f8946d9b1a7865866ed403618ed
https://www.virustotal.com/en/file/5937 ... /analysis/
EDIT: Does anyone know of a tool to disinfect this? I have been looking but not successfully. Many AV tools can find and delete the infected files, but is OS reinstall the only viable option here?
Attachments
Password: infected
(458.16 KiB) Downloaded 92 times
(458.16 KiB) Downloaded 92 times
MD5: abcf43244787603e3d99938fb550511c
SHA1: e7f813e609b4ebdc0370569da2c5b334d34a6173
https://www.virustotal.com/en/file/b134 ... 367653788/
SHA1: e7f813e609b4ebdc0370569da2c5b334d34a6173
https://www.virustotal.com/en/file/b134 ... 367653788/
Attachments
pass: virus
(68.92 KiB) Downloaded 72 times
(68.92 KiB) Downloaded 72 times
