[Crowbar]

I am looking for a dropper for a very recent malware that appears to be a rootkit, but all identifiers I have found appear to call it a trojan. Here are the closest identifiers I can find, though nothing states that the MBR is affected, though it clearly is.

Information on specifics found here: http://www.threatexpert.com/report.aspx ... 2c54b9158c

Here are all of the closest identifiers I have found:

Code: Select all

Mal/Generic-A [Sophos]
Backdoor:Win32/Refpron.gen!C [Microsoft]
Trojan.Sopiclick [Symantec]
Trojan Horse [Symantec]
Trojan.Win32.Koblu.aff [Kaspersky Lab]
Trojan.Win32.Koblu.biw [Kaspersky Lab]
Trojan.Win32.Koblu.cbx [Kaspersky Lab]
Trojan.Win32.Koblu.pr [Kaspersky Lab]
Win-Trojan/Koblu.98816.O [AhnLab]
Trojan.Sopiclick [PC Tools]
Troj/PSW-HG [Sophos]
Trojan.Win32.Koblu.aor [Kaspersky Lab]
TrojanDropper:Win32/Refpron.gen [Microsoft]
Win-Trojan/Koblu.98304.T [AhnLab]
Downloader [Symantec]
Generic BackDoor!ec [McAfee]
Generic Dropper!ns [McAfee]
Spyware.Screenspy [Symantec]
Trojan.Win32.Koblu.abp [Kaspersky Lab]
Trojan.Win32.Koblu.aju [Kaspersky Lab]
Trojan.Win32.Koblu.xs [Kaspersky Lab]
Win-Trojan/Koblu.97792.G [AhnLab]
Win-Trojan/Koblu.98816.E [AhnLab]

To be more specific: The biggest symptom of this malware is that when you run TDSSKiller, it gets to 80% during the initialization, freezes, and then crashes. The only fix so far has been to kill the "itlperf" data in "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" and then reboot in recovery console and run Fixboot and Fixmbr.

Any help is greatly appreciated!

[PX5]

May do the trick.

[EP_X0FF]

This is not a bootkit/rootkit.
There is no MBR modifications found, as well as no rootkit alike activity.
The only one interesting thing in this trojan - all it's components written on Delphi.
If you interested in winlogon notification package it uses - see attach.

To remove goto system32 directory, rename both it**.dll to something random, use autoruns to clean registry entries (Winlogon packages page), reboot computer and then delete previously renamed files. Or you can use something that will force delete these files.

[Crowbar]

That's what is interesting with the variations I've been seeing.... the MBR becomes infected and the only way I have been able to remove it is to run fixmbr (for XP) from the recovery console and then remove the infection from the OS, otherwise this virus just re-spawns upon reboot. I'll have to investigate further. I am now thinking I'm on the wrong trail and the MBR infection that I've been seeing is not directly related, but has just happened to come in around the same time as this. Thank you for the dropper!

[PX5]

I believe Im aware of the actual dropper you would want, it is a multiloader I have been seeing lately and the suspect mbr modification was of a tdl nature.

Lately we see alot of this and they still seem to do minor modifications to secure self on machine, many times, no tools run while watchdog is alive.

It has been known to drop loaders for this infection plus 2 others, I will search for it this weekend but no gurantees Ill find it again.

Cheers

[Cody Johnston]

To add to crowbar's earlier post, I have a GMER scan (files section unchecked) of this same infection. I would also like the dropper for this if possible. Thank you for your time.