A forum for reverse engineering, OS internals and malware analysis 

[solved] Help with SST removal

Forum for analysis and discussion about malware.

[solved] Help with SST removal

 #9611  by HackJack
 Wed Nov 09, 2011 5:51 pm
is there a manual fix for -Rootkit.Boot.SST.b

FixMBR and Fixboot failed to resolve the issue in XP

MBR log Gmer

tealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250318AS rev.CC46 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A059FA9]<<
1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x8A0F8AB8]
3 CLASSPNP[0xF763805B] -> nt!IofCallDriver[0x804E3D45] -> \Device\00000053[0x8A17C258]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E3D45] -> \Device\Ide\IdeDeviceP3T0L0-7[0x8A1DCA38]
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi -> 0x8a059fa9
user & kernel MBR OK
Warning: possible MBR rootkit infection !

Re: TDL Modifications (PRAGMA and others)

 #9616  by EP_X0FF
 Wed Nov 09, 2011 6:22 pm
@HackJack

Please post also complete list of AV/FW software installed in system, CD/DVD emulators if they are installed.

Re: TDL Modifications (PRAGMA and others)

 #9620  by HackJack
 Wed Nov 09, 2011 8:12 pm
EP_X0FF wrote:@HackJack

Please post also complete list of AV/FW software installed in system, CD/DVD emulators if they are installed.


No AV installed or CD/DVD emulators . it is windows XP with default firewall

i have attached the FakeSysdef Installer, which drops new rootkit

pass:malware
Attachments
pass:malware
(408.93 KiB) Downloaded 58 times

Re: TDL Modifications (PRAGMA and others)

 #9628  by rkhunter
 Wed Nov 09, 2011 10:43 pm
HackJack wrote:
EP_X0FF wrote:@HackJack

Please post also complete list of AV/FW software installed in system, CD/DVD emulators if they are installed.


No AV installed or CD/DVD emulators . it is windows XP with default firewall

i have attached the FakeSysdef Installer, which drops new rootkit

pass:malware
Maybe I'm wrong but seems it not drops rootkit.

Re: TDL Modifications (PRAGMA and others)

 #9629  by HackJack
 Wed Nov 09, 2011 11:21 pm
rkhunter wrote:
HackJack wrote:
EP_X0FF wrote:@HackJack

Please post also complete list of AV/FW software installed in system, CD/DVD emulators if they are installed.


No AV installed or CD/DVD emulators . it is windows XP with default firewall

i have attached the FakeSysdef Installer, which drops new rootkit

pass:malware
Maybe I'm wrong but seems it not drops rootkit.
To give you more input, this new rootkit creates a new partion without out drive letter, please refer the attached screenshot(new partition is marked in red)
Attachments
MBR partition.JPG
New MBR Partion
MBR partition.JPG (68.94 KiB) Viewed 765 times
 Return to “Malware”