KernelMode.info

PostPosted:**Fri Dec 14, 2012 6:15 pm**

I'm trying to examine a computer with a possible rootkit onboard. The user had removed two rootkits (?) called Rloader.a and Rloader.b some time ago.

MBRCheck warns about non-standard or infected MBR but is it just Acer's proprietary MBR code (the computer is made by Acer)? Googling the SHA1 checksum gives lots of topics from various support forums where some people suggest replacing with a standard Windows boot code but some just ignore it.

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 75374D27B77E61C9316E27BACDEE41C1E2C9874E

Found non-standard or infected MBR.

TDSSKiller doesn't find anything, GMER hangs during scan. Combofix doesn't find anything special.

Sending the dumped MBR to Virustotal results in one alert from VBA32, "suspected of Unknown.BootVirus".

I tried to look at the dump using a hex editor and IDA but didn't have much success with the boot code part.

Partition table seems to be OK, no signs of partitions created by malware (mainly those TDL-4 variants).

Dump attached as 7-zipped archive, password 12345

PostPosted:**Fri Dec 14, 2012 7:26 pm**

Hello,

Strange.
I don't see any error message (8Bh --> DAh)

Only "Acer" and "system" strings...

Maybe, it's encrypted :?:

PostPosted:**Sat Dec 15, 2012 3:57 am**

This HDD is 250Gb?

2 NTFS partitions + 1 hidden with size (~12 Gb). Partition type is 0x27

PQservice
Acer laptop hidden rescue partition. Can be FAT32 or NTFS. Press Alt-F10 during boot to start this. Also other manufacturers use this type for their rescue partition.

No rootkits here.

Boot startup code partially identical to Acer.2 mbr code. Since this one clearly says "Acer.3" it is OK.

PostPosted:**Sat Dec 15, 2012 11:48 am**

Hello,

Yes, Acer Recovery boot sector, more details about your dump :

Code: Select all

MBR_CODE        : Acer Recovery
MD5             : 6D689C92EE103CA1C013F05437A10A49
SHA1            : 0C5FCF852A39266D814605C789683D0B82D7C4DD
PARTITIONS      : 3
DISK_SIGNATURE  : C985D5EA
SIGNATURE_ID    : AA55h

-----------------------[ PARTITION 1 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x27 ( RE Hidden partition )
PARTITION_SIZE  : 11.71 Go
STARTING_SECTOR : 63
ENDING_SECTOR   : 24563385
TOTAL_SECTORS   : 24563322

-----------------------[ PARTITION 2 ]------------------------

BOOTABLE        : YES
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 110 Go
STARTING_SECTOR : 24563712
ENDING_SECTOR   : 256700416
TOTAL_SECTORS   : 232136704

-----------------------[ PARTITION 3 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 110 Go
STARTING_SECTOR : 256700416
ENDING_SECTOR   : 488394752
TOTAL_SECTORS   : 231694336

--------------------------------------------------------------

--OFFSET--  0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-  0123456789ABCDEF

0x00000000  31C08ED0BC007CFB5007501FFCBE1B7C  1À.Ð¼.|ûP.P.ü¾.|
0x00000010  BF1B065057B9E501F3A4CBBF050031C0  ¿..PW¹å.ó¤Ë¿..1À
0x00000020  B280CD1373074F7402EBF3EBFEBD8807  ².Í.s.Ot.ëóëþ½..
0x00000030  807E005A7454F8B81096B315CD157216  .~.ZtTø¸..³.Í.r.
0x00000040  81F90000742BF8B81096B316CD157206  .ù..t+ø¸..³.Í.r.
0x00000050  81F90100741BF8B81096B318CD157206  .ù..t.ø¸..³.Í.r.
0x00000060  81F901007524F8B881CACD1580FA0174  .ù..u$ø¸.ÊÍ..ú.t
0x00000070  19BEBE07B104382C7C08750B81C61000  .¾¾.±.8,|.u..Æ..
0x00000080  E2F489F5E96F00E96900BDBE07668B5E  âô.õéo.éi.½¾.f.^
0x00000090  0860680000680000665368000068007C  .`h..h..fSh..h.|
0x000000A0  680100681000B442B28089E6CD136161  h..h..´B²..æÍ.aa
0x000000B0  730B4F740830E4B280CD13EBCDE87B00  s.Ot.0ä².Í.ëÍè{.
0x000000C0  BDBE7FC6460080C6461000C6462000C6  ½¾.ÆF..ÆF..ÆF .Æ
0x000000D0  46040BA0897FA8047404804E2410A089  F.....¨.t..N$...
0x000000E0  7FA8087404804E3410E8720068000068  .¨.t..N4.èr.h..h
0x000000F0  007CCBBDCE07668B5E08606800006800  .|Ë½Î.f.^.`h..h.
0x00000100  00665368000068007C680100681000B4  .fSh..h.|h..h..´
0x00000110  42B28089E6CD136161730B4F740830E4  B²..æÍ.aas.Ot.0ä
0x00000120  B280CD13EBCDE81200BDBE7F807E0427  ².Í.ëÍè..½¾..~.'
0x00000130  74BAC6460427E82500EBB1BF050031C0  tºÆF.'è%.ë±¿..1À
0x00000140  8EC0BB007EB80102B500B101B600B280  .À».~¸..µ.±.¶.².
0x00000150  CD1373094F740630E4CD0DEBDEC3BF05  Í.s.Ot.0äÍ.ëÞÃ¿.
0x00000160  0031C08EC0BB007EB80103B500B101B6  .1À.À».~¸..µ.±.¶
0x00000170  00B280CD1373094F740630E4CD0DEBDE  .².Í.s.Ot.0äÍ.ëÞ
0x00000180  C30000416365722E3300007379737465  Ã..Acer.3..syste
0x00000190  6D000000000000000000000000000000  m...............
0x000001A0  00000000000000000000000000000000  ................
0x000001B0  0000000000000000C985D5EA00000001  ........É.Õê....
0x000001C0  010027FEFFFF3F0000007ACE760180FE  ..'þ..?...zÎv..þ
0x000001D0  FFFF07FEFFFF00D076010020D60D00FE  ...þ...Ðv.. Ö..þ
0x000001E0  FFFF07FEFFFF00F04C0F0060CF0D0000  ...þ...ðL..`Ï...
0x000001F0  000000000000000000000000000055AA  ..............Uª

PostPosted:**Sat Dec 15, 2012 12:53 pm**

Ok, thanks for clarification.

The HDD is 250GB. I noticed that "Acer.3" string too but wasn't sure if it there could still be malicious code.

PostPosted:**Tue Dec 18, 2012 7:25 am**

Hello

Confirmed Acer MBR
(Hi Eric it's been a while! :) )

Capture.PNG (39.15 KiB) Viewed 420 times

KernelMode.info

Trying to analyse an MBR dump

Trying to analyse an MBR dump

Re: Trying to analyse an MBR dump

Re: Trying to analyse an MBR dump

Re: Trying to analyse an MBR dump

Re: Trying to analyse an MBR dump

Re: Trying to analyse an MBR dump