A forum for reverse engineering, OS internals and malware analysis
Jaxryley wrote:Dropped by a newish rogue AV.Interesting. This driver is changing the access rights on anti-malware EXE files. I tried MBAM and Prevx on this rogue and both the mbam.exe and prevx.exe process get killed and the files on disk get a new DACL causing the file to be no longer accessible. Resetting the DACL with SetACL.exe restores from the countermeasure.
vbma9e7b.sys - 6/43 - Kaspersky - Rootkit.Win32.TDSS.vfc - MD5 : 97b443e6c1aba6df2afb37a76faf975d
http://www.virustotal.com/file-scan/rep ... 1287223259
Jaxryley wrote:Thanks for checking it out bytejammer. :)I renamed it to test.exe and then this will still get killed and blocked by DACL. I used GMER to disable the service and then start a mbam.exe. I haven't found the exact trigger of the blocking mechanism but it surely doesnt just block on filenames. I could not use your suggestion of just renaming the exe.
On my testing VM's I keep several Malwarebytes pre-renamed mbam.exes such as explorer.exe, firefox.exe, mbam.com, mbam.scr.....
A pre-renamed mbam.exe to explorer.exe will get a scan up and running with this rogue active.
bytejammer wrote:I could not use your suggestion of just renaming the exe.No just renaming the original mbam.exe won't allow it to run.
EP_X0FF wrote:I don't think this is TDL. There is another malware Antivirus Pro 2010 that maybe interesting, because uses some TDL3 approach.This is another modification of max++ rootkit:
[main]
version=0.03
aid=30020
sid=0
builddate=4096
rnd=1123561945
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://kangojim1.com/;hxxps://lkaturi71.com/;hxxps://rukkeianno.in/;hxxps://neywrika.in/;hxxps://86b6b6b6.com/
wsrv=hxxp://rudolfdisney.com/;hxxp://crozybanner.com/;hxxp://imagemonstar.com/;hxxp://funimgpixson.com/;hxxp://bunnylandisney.com/
psrv=hxxp://cri71ki813ck.com/
version=0.15
