A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2462  by PX5
 Sat Aug 28, 2010 3:49 pm
Quick question for EP_X0FF and A_D_13

Do either of your RKScanners work on X64?
 #2463  by EP_X0FF
 Sat Aug 28, 2010 3:55 pm
MBRCheck will work and detect it AFAIK. Likely remove it also.

x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
 #2464  by IndiGenus
 Sat Aug 28, 2010 4:21 pm
EP_X0FF wrote:MBRCheck will work and detect it AFAIK. Likely remove it also.

x64 detection/analysis/removal tool is currently in development. Well actually it will be cross-platform. However it will be private so no point to discuss it here.
I'm sure a_d_13 will have more to add to this than I.... :roll:

In the little bit of testing I've done with Win7 and Vista x64, MBRCheck will not properly detect or remove at this time.

Win7: MBRCheck reports MBR Code Faked!. Attempting to replace did not work.

Vista: Reported Win2008 mbr... :?: But okay.
 #2466  by EP_X0FF
 Sat Aug 28, 2010 5:00 pm
Guys I tell you what perfectly and safely removes it :) fixmbr.
 #2467  by IndiGenus
 Sat Aug 28, 2010 5:08 pm
EP_X0FF wrote:Guys I tell you what perfectly and safely removes it :) fixmbr.
Ya that definitely gets it. Only consideration is wiping out access to recovery partitions on OEM machines.
 #2470  by 4everyone
 Sat Aug 28, 2010 5:36 pm
Fabian Wosar wrote:
4everyone wrote:Worked for me with Older Versions of TDL3.. Tried with the new mbr thingie, didn't work for me..
Are you sure the rootkit is running? I used it for pretty much every single sample I posted on Windows 7 x64 and tried some older samples of TDL-3 on Windows XP as well. But it is still just a dirty hack. So failure is kind of expected.

Can you send me the sample you tried it with and what system you tried it on? Maybe I can adjust it.
Sorry Fabian. I believe that, i have done something wrong before.. Checked it now, works Good.

Thanks
4-every-1
 #2473  by IndiGenus
 Sat Aug 28, 2010 6:27 pm
LeastPrivilege wrote:This should be a lesson for people who own retail OEM machines that use recovery partitions to backup their MBR and put it away for safe keeping.
Tis a good point. Though most "average" PC users would never know to do this. Nor would they know how it's done even if someone told them. Do any of the OEM's such as Dell, HP, etc... provide a tool for doing this? Something that is a simple point and click tool?
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 60