[gjf]

Some news in Bootkit family :)
News are presented here.It is a well-known Stoned, but re-hashed.
All I know this malware starts some processes with NT-AUTHORITY\SYSTEM rights. Executables are not hidden and are placed somewhere in C:\System Volume Information\. It cannot be terminated because of rights.

The malware can be removed using standard technique for removing bootkits :)

Does anyone have a dropper to perform analysis?

BTW looks like it has a website :)

[rossetoecioccolato]

Stoned is open source and intended for use by law enforcement, security researchers and other individuals who have a legitimate interest. Additional (and more accurate) information may be obtained by contacting the author at Peter_at_Kleissner_dot_at. Versions available from the author require the user to have administrative privileges and to click yes when prompt to install what is explicitly identified as a bootkit. The software license prohibits use for unlawful purposes. Bootkits are becoming quite common in the wild and so it is useful to have one available for research purposes. But I doubt the authors of TDL or Rustock will need to learn anything from Stoned. The web site that you mention is not associated with the author. I can't imaging why anyone would want to pay money for something that can be obtained for free simply by contacting the author.

[gjf]

I am talking not about Stoned, but about Whistler which is probably based on Stoned.

[rossetoecioccolato]

Same thing. If you want a copy email the author. It would be interesting to know who the website that you mention really is (since it is hosted in US federal jurisdiction).

[gjf]

That's what I did :) Peter kindly described me everything. Actually the information have been posted here already.

I believe it is really Stoned-based malware. Same behaviour: non-hidden MBR patching, SYSTEM-rights of malware processes etc. Taking into account the author cannot do better than simly "hide" malware files in "System Volume Information" I think there is not anything new.

Sure we cannot be absolutely sure without droppers, but AFAIK nobody has it yet :)

[Quads]

Has anyone found a sample installer for the Bootkit that creates these files on peoples PC's??

c:\system volume information\microsoft\smss.exe
c:\system volume information\microsoft\services.exe

A lot of AV's, MBAM and SAS are detecting the above files but they get recreated on the next restart.

Quads

[USForce]

Whistler bootkit is the bootkit you are looking for ;)

Fixmbr and it's gone :D

[Quads]

Thanks

Yeah, I was trying to find the latest sample to play with and remove without using the Windows CD with the FixMBR command.
Instead trailing other Bootkit Removers.

Thanks for your input

Quads

[EP_X0FF]

Has anyone found a sample installer for the Bootkit that creates these files on peoples PC's??

c:\system volume information\microsoft\smss.exe
c:\system volume information\microsoft\services.exe

A lot of AV's, MBAM and SAS are detecting the above files but they get recreated on the next restart.

Quads

Hello,

Give us a malware names casted by AV :)

Regards.

[Quads]

The 2 files above detected as

Symantec Win32.Unruy!gen1
A-squared Trojan-Clicker.Win32.Cycler.ajsx!A2
AVG Trojan horse Downloader.Generic9.CAXD or trojan horse clicker.AJRO
Avast Win32:Cycler-l[trj] or Win32:Cycler-G [Trj]
Malwarebytes Trojan.cycler
ESET a variant of Win32/TrojanDownloader.Unruy.BV trojan
Kaspersky Trojan-Clicker.win32.cycler.ajtp or Win32:Cycler-F [Trj]
SAS Trojan.Agent/Gen-Blarsa

The 2 files get created again even after deletion on next restart.

Bootkit Remover fixes the MBR and after the files are no longer created.

Quads