EP_X0FF wrote:btw, IO filtering seems to be the same.Thanks god :)
WBR
SWW
-->Virii Cthulhu has you<--
SWW
-->Virii Cthulhu has you<--
A forum for reverse engineering, OS internals and malware analysis
Just in case if you don't know, cmd64.dll packed with MPRESS
http://www.matcode.com/mpress.htm
http://www.matcode.com/mpress.htm
Ring0 - the source of inspiration
Hello,
Thanks go to Fabian for the dropper :D
Attached is an archive containing all the files dropped by the infection, his dropper, and an offline dump of the MBR. The MBR contains a simple ROR decryption loop, so there is also a file "decrypted_mbr" with the encryption removed.
Thanks,
--AD
Thanks go to Fabian for the dropper :D
Attached is an archive containing all the files dropped by the infection, his dropper, and an offline dump of the MBR. The MBR contains a simple ROR decryption loop, so there is also a file "decrypted_mbr" with the encryption removed.
Thanks,
--AD
Attachments
Pass: infected
(205.68 KiB) Downloaded 194 times
(205.68 KiB) Downloaded 194 times
Thanks Fabian :)
_____________
Firing up x64
_____________
Firing up x64
Who controls the past controls the future
Who controls the present controls the past
Who controls the present controls the past
Software updated, gonna try to kill it with fixmbr :)
Ring0 - the source of inspiration
Killed :) Confirmed by internal detector.
Ring0 - the source of inspiration
x64
tdsskiller doesn't detect
edit: HMP detects.
VM wasted by tdl :D
tdsskiller doesn't detect
edit: HMP detects.
VM wasted by tdl :D
Last edited by Meriadoc on Thu Aug 26, 2010 12:39 pm, edited 2 times in total.
Who controls the past controls the future
Who controls the present controls the past
Who controls the present controls the past
I assume further improvements because this rootkit version is very easy to remove. And it is really buggy, I can't get real machines free from debuggers to work after infection, only after mbr recovery.
Ring0 - the source of inspiration
EP_X0FF wrote:I assume further improvements because this rootkit version is very easy to remove. And it is really buggy, I can't get real machines free from debuggers to work after infection, only after mbr recovery.totally agreed. Rootkit is simply bugged
USForce wrote:Dogma support please login for the bugreports, LOLEP_X0FF wrote:I assume further improvements because this rootkit version is very easy to remove. And it is really buggy, I can't get real machines free from debuggers to work after infection, only after mbr recovery.totally agreed. Rootkit is simply bugged
Ring0 - the source of inspiration