A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3299  by Crush
 Wed Nov 03, 2010 8:54 pm
Hi guys,

I've got a user here:
http://www.pchelpforum.com/progress-hij ... lease.html

that has a Bootkit on an x64 machine. It seems to be standing up to everything I've thrown at it. Bootrec /fixmbr didn't work. MBRCheck didn't work, Bootkit Remover can't fix it. Thoughts?
 #3301  by Quads
 Wed Nov 03, 2010 11:08 pm
a) If a PC is using a OEM version of a MBR, the tooks like MBRcheck and Bootkit Remover detects it as unknown.
b) Due to the user having more than one OS installed on Hard Drives, If the user is using a third party program as the Boot loader, then that may also be detected as unknown by the tools.

c) Norton / Symantec detects the TDL MBR as "Boot.Tidserv" with the other files as "Tidserv.L", Norton cannot cure the MBR and is not allowed to delete it of course instead flagged as "Manual Removal is Required".
This also means as another program is used to cure Tidserv the detection by Norton is stuck in the "Unresolved Threats" list and because Norton didn't deal with it, it still notifies the user of the "Unresolved Threat" especially on Windows startup.

In the History - Unresolved Threats list click the "Clear "Entries" button to remove the entry and see if it comes back. If in 24 hours it doesn't come back with Norton detecting and notifying again. that's good.

Because Norton keeps telling the user of the Unresolved threat the user thinks they are still infected.

Just Ideas

Quads
 #3303  by Crush
 Wed Nov 03, 2010 11:39 pm
Thanks Quads. I will try those :)
 #3304  by Quads
 Wed Nov 03, 2010 11:58 pm
If the Norton version is 2009 and previous then there was no "Clear Entries" button and the Qbackup work around is required.

This does not apply to Symantec Corporate (Endpoint).

Screenshot showing "Clear Entries" button though shows different Malware listed and is old.

Image

I Notice the Hard Drive infected is

2010/10/25 07:13:32.0154 \HardDisk2\MBR - will be cured after reboot
2010/10/25 07:13:32.0154 Rootkit.Win32.TDSS.tdl4(\HardDisk2\MBR) - User select action: Cure

Which is not HardDisk0 / PhysicalDrive0
Later on Hard Drive / Physical Drive 2 reads

931 GB \\.\PhysicalDrive2 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Which is good, confusion can happen when having multiple HD's that can load, with a boot loader (OS Selector) that allows you to choose which drive then which drive is infected, and what the other drives reported before the infection.

Quads
 #3311  by PX5
 Thu Nov 04, 2010 7:48 am
Looks like the last TDL4 I ran into on a dual boot system, had the very same troubles but sorted a way to fix it without using StartUp Repair or trying fixmbr.

Took combo of tdsskiller and local tool being used to finally cure the infection.
 #3385  by Crush
 Mon Nov 08, 2010 9:24 pm
User has responded with this:

a) My Win7 Home Premium 64-bit is OEM version
b) I have installed only one OS and do not use third party program as boot loader
c) my Norton Unresolved Threats list is empty, it always showed me the Boot.Tidserv in Resolved Security Risk.

Thoughts?
 #3386  by Quads
 Mon Nov 08, 2010 10:45 pm
OK

Copy and Paste

Hard Drive 0

74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D4B3B62F609601336788D00CE203BC3CFEAFD2B6

Probably the OEM Recovery Hard Drive that are in PC's from companies like Dell, HP, Acer......................... (F12 on start) and that is why tools like MBRCheck and Bootkit Remover reports the Unknown MBR code, as well as why Bootkit remover cannot fix it either as usually the Recovery Drive is Protected.

Hard Drive 2

931 GB \\.\PhysicalDrive2 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Hard Drive 1
119 GB \\.\PhysicalDrive1 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Now both reporting as Clean compared to early on, which is good, One of them would be the working drive, the person uses all the time, the other not sure maybe a Backup drive with software that continually backs up the system. In any case both are showing as clean.


c) my Norton Unresolved Threats list is empty, it always showed me the Boot.Tidserv in Resolved Security Risk

The resolved list is OK as that is just part of the history showing what Norton has detected in the past whether a week ago, or 6 months ago. it's the Unresolved list to be worried about or if it is still popping up as detected every time you boot up the PC. Tomorrow or a weeks time.

Quads
 #3392  by PX5
 Tue Nov 09, 2010 6:43 pm
Sounds like someone is using Bootrec with little or no knowledge but appears lucky it hasnt wiped out the OEM mbr.

I suspect you can use a Win7 CD go into Repair functions and select command prompt and rebuild the mbr or outright fixit.

There has also been some updates to other AR tools to help repair this infection, none of which Ill mention here to avoid personal conflicts.