A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20252  by thisisu
 Sun Jul 28, 2013 4:26 am
EP_X0FF wrote:WDO can handle it, not MSE itself.
I understand that. I just had a hard time believing that the recovery partition was the one that was compromised. It's not something I've seen before. So just so I understand correctly, this type of infection infects existing partitions; unlike MAXSS/TDL4 which would create its own NEW 1-10MB partition. There was concern about the 2 100MB system reserved partitions.
Last edited by thisisu on Sun Jul 28, 2013 4:32 am, edited 1 time in total.
 #20253  by EP_X0FF
 Sun Jul 28, 2013 4:31 am
Notice OP statement:
I had a run-in several weeks ago with Rovnix.D on my machine that I ended up not even knowing about until it was already blue screening my x64 Win7 machine. I ended up having to reformat my machine and reinstall after a blue screen trashed my boot sector completely (as well as my registry) when I attempted to do a roll-back/restore, and even ended up losing access to my PC's restore partition. Long story short, I ended up doing things the old-fashioned way, getting a copy of Win7 x64, inputting my key from the sticker on my machine, and then hunting down drivers (I kept putting off making those restore DVDs for my machine, so I still don't have access). It was a pain in the rear.
He messed up everything with reformating.
 #21508  by forty-six
 Sun Dec 01, 2013 4:10 am
Attached rovnix ISFB

Strings:
Code: Select all
!CryptGetUserKey
ADVAPI32.DLL
.pfx
ISFB
AddressBook
AuthRoot
CertificateAuthority
Disallowed
Root
TrustedPeople
TrustedPublisher
\\.\%s
%lu.exe
Software\Microsoft\Windows\CurrentVersion\Run
"System\CurrentControlSet\Control\Session Manager\AppCertDlls"
"Loading DLL: ""%s"""
"DLL load status: %u"
\Mozilla\Firefox\Profiles\
cookies.sqlite
cookies.sqlite-journal
"\Macromedia\Flash Player\"
*.sol
*.txt
\sols
\cookie.ie
\cookie.ff
-01
"/fp %lu"
"Command received ""%s"""
FAILED
/task.php?
THESETENURELIFE.TK
form
/data.php?version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
Client
Main
version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
/config.php?
CHROME.DLL
closesocket
WSASend
WSARecv
WS2_32.DLL
LoadLibraryExW
KERNEL32.DLL
.rdata
.text
PR_Close
PR_Write
PR_Read
NSPR4.DLL
NSS3.DLL
PR_Poll
PR_GetError
PR_SetError
\\?\
Local\
".set DiskDirectory1=""%s"""
".set CabinetName1=""%s"""
"""%s"""
*.*
".set DestinationDir=""%S"""
"""%S"""
"makecab.exe /F ""%s"""
\setup.inf
\setup.rpt
\*.*
"cmd /C ""systeminfo.exe > %s"""
"cmd /C ""echo -------- >> %s"""
"cmd /C ""tasklist.exe /SVC >> %s"""
"cmd /C ""driverquery.exe >> %s"""
"cmd /C ""reg.exe query ""HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"" /s >> %s"""
Attachments
standard pass
(233.3 KiB) Downloaded 115 times
 #22819  by Xylitol
 Tue May 06, 2014 2:31 pm
Attachments
infected
(6.36 KiB) Downloaded 80 times
infected
(254.95 KiB) Downloaded 113 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9