A forum for reverse engineering, OS internals and malware analysis 

Forum for completed malware requests.
 #20210  by thisisu
 Fri Jul 26, 2013 12:38 am
Hi,

I'm looking for a dropper of Trojan:DOS/Rovnix.D.

According to MS, Trojan:DOS/Rovnix.D is a detection for the malicious Volume Boot Record (VBR); the malicious VBR is loaded at boot time.

Source: http://www.microsoft.com/security/porta ... ix.D#tab=2

MBR.dat (renamed as MBR.txt) attached. Is from this thread: http://www.bleepingcomputer.com/forums/ ... -with-mse/

I'm thinking MSE detects this partition as malicious:
Code: Select all
-----------------------[ PARTITION 2 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 100 Mo
STARTING_SECTOR : 36866048
ENDING_SECTOR   : 37070848
TOTAL_SECTORS   : 204800
Please note the two 100MB partitions on disk 0.

Log from MSE attached as well

Thanks!
Attachments
MSE log
(28.29 KiB) Downloaded 45 times
copy of MBR from BC thread
(512 Bytes) Downloaded 34 times
 #20211  by EP_X0FF
 Fri Jul 26, 2013 2:01 am
You can find it inside Carberp source or in Simda/Carberp/Cidox threads. It is BkLoader.