A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15361  by Alex
 Sun Aug 26, 2012 3:08 pm
There are only few changes, nothing special:
Code: Select all
C:\sys.pdb -> D:\new2DNet\Rocket\Product\Rdrv.pdb
Now it hooks four services: ZwLoadDriver, ZwSetSystemInformation, ZwSetValueKey, ZwReadFile. Hooks of ZwLoadDriver, ZwSetSystemInformation(SystemExtendServiceTableInformation) compare names of loaded modules with a short list:
Code: Select all
ksapi.sys
kisknl.sys
skvkrpr.sys
minidb.sys
bc.sys
bapidrv.sys
beepmbr.sys
findandfixbiosvirus.sys
If one of these modules will be detected, malware stops loading driver. ZwSetValueKey hook blocks seting values of two key paths: "Services\\BC" and "Services\\MiniKill". ZwReadFile hook blocks access to "sfc_os.dll".

Malware also hooks DriverStartIo of miniport driver if exists and that's all.
 #18129  by cjbi
 Sun Feb 10, 2013 11:13 am
Guntior bootkit is still alive.

Fresh dropper & payloads attached.
Final payload is Delphi coded PbBot.

VirusTotal result(s)
ACE.exe.vir (Guntior bootkit dropper) 15/45 https://www.virustotal.com/file/600b149 ... 360490557/
syslog.exe.vir (Delphi coded PbBot) 24/45 https://www.virustotal.com/file/7bdf546 ... 360491763/
Attachments
pw: infected
(1.11 MiB) Downloaded 88 times
 #18669  by Cody Johnston
 Sat Mar 23, 2013 10:59 pm
Fresh Sample Wapomi/Jadtre/Qvod

VT: 40/46

MD5: 67953f8946d9b1a7865866ed403618ed

https://www.virustotal.com/en/file/5937 ... /analysis/

EDIT: Does anyone know of a tool to disinfect this? I have been looking but not successfully. Many AV tools can find and delete the infected files, but is OS reinstall the only viable option here?
Attachments
Password: infected
(458.16 KiB) Downloaded 93 times