[rkhunter]

New bootkit with fraud component - browser banner.



VT report: http://www.virustotal.com/file-scan/rep ... 1309773726

Unusual infection method of VBR.
Also successfully working in x64.
DrWeb Beta Scanner successfully cure it.
Mentioned in (while only on Russia) http://forum.drweb.com/index.php?showto ... ntry530621

[EP_X0FF]

IntMayak.dll as payload?

fixboot?

[Blitskrieg]

Also known as Cidox (Rootkit.Boot.Cidox.a).

Blog post (only in russian now) - http://www.securelist.com/ru/blog/40578 ... FS_razdela

It also can be detected & cured by TDSSKiller (and of course by all our actual AV-products).

[rkhunter]

Yes, bootrec /fixboot for help.

[rkhunter]

[dcmorton]

Here's the sample referenced in the VT scan.

From the adminus.net 6-25-2011 samples.

[EP_X0FF]

Thanks for sample.

In attach driver it stores in the first sectors of the disk, payload dll (seems not much changed since IntMayak v1) binded with driver.
CreateProcess, LoadImage notify callbacks in place (firefox.exe opera.exe chrome.exe as targets of dll injection and svchost.exe iexplore.exe firefox.exe opera.exe chrome.exe for x64 version).

Also in attach Mayachok.1 with extracted payload dll.

d:\work\projects\bk2\kloader\Release\i386\kloader.pdb

d:\work\projects\bk2\kloader\Release\amd64\kloader.pdb

Infected volume boot record attached also.

Overall not impressive. :?
Fixboot, Amen.

[EP_X0FF]

x64 driver attached.

This rootkit added to x64 rootkits thread list.

[dcmorton]

Here's the earlier mentioned Securelist blog post in English

http://www.securelist.com/en/blog/517/C ... BR_to_NTFS

[rkhunter]

Dr.Web Scanner in release detect and cure it.
And new research paper about technical detail of Mayachok.2 (till only in Russia) -
http://news.drweb.com/?i=1772&c=23&lng=ru&p=0