[rkhunter]

It's my small research about this incident:

http://blogs.drweb.com/node/823

[rkhunter]

TrendMicro wrote post about Popureb: http://blog.trendmicro.com/popureb-vs-tdl4/

[dcmorton]

Popureb analysis by Sophos

http://www.sophos.com/medialibrary/PDFs ... df?dl=true

[dcmorton]

Webroot has also made available a removal tool for Popureb.E.

In my tests, it was able to detect and remove a Popureb.E infection, however with a Popureb.A infection, it was able to detect an infected MBR but did not cure.

http://pxnow.prevx.com/antipopureb.exe

[Quads]

One thing after cleaning the MBR, removing files and registry entries I found in XP at least the Start Menu customize Browser setting doesn't want to go back to Firefox or Chome to be the selected pinned browser.

Screenshot Attached

Quads

[wealllbe20]

One thing after cleaning the MBR, removing files and registry entries I found in XP at least the Start Menu customize Browser setting doesn't want to go back to Firefox or Chome to be the selected pinned browser.

Even after setting firefox or chrome as the default browser?

[dcmorton]

One thing after cleaning the MBR, removing files and registry entries I found in XP at least the Start Menu customize Browser setting doesn't want to go back to Firefox or Chome to be the selected pinned browser.

Even after setting firefox or chrome as the default browser?

It does this by modifying/deleting values in the "HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" & "HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}" keys.

The value that I've found that breaks everything is the "InitString"="StartMenuInternet" under "HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag". This one gets completed deleted, but after re-adding it either manually or by importing the pre-infection registry files, everything works again as expected.

I've attached pre and post infection registry exports of those keys showing the changes from XP SP3. I'll try to grab exports from the other Windows versions as well.

[Quads]

dcmorton is correct, that is the registry entry that has to be repaired back to pre infection state to be able to get other Browsers pinned to the Start Menu.

Quads

[Aleksandra]

MD5: 70d66bcd2bde13a4c953b44b51a94c8c
SHA1: 6d62ffde3006ff73777debc8fff545a1da33a5ba
https://www.virustotal.com/file/0da6440 ... /analysis/

MD5: f2a50f83f3c6ac0e70311619e9ae53d6
SHA1: 20fa7004ba50356ff763e4fd308379c0d447144d
https://www.virustotal.com/file/ec07d9f ... /analysis/

[cjbi]

Ah, fresh meat! Fresh Popureb bootkit dropper.
Obviously Korean targeted.

String(s)

Code: Select all

Invalid partition table
Error loading operating system
Missing operating system
SeDebugPrivilege
SYSTEM\CurrentControlSet\Services\DogKiller
DogKiller
\down.txt
urlmon.dll
URLDownloadToFileA
&ver=
clcount/count.asp?mac=
GOOGLE
InternetCloseHandle
InternetOpenUrlA
wininet.dll
InternetOpenA
biaoji
localfile
count
ShellExecuteA
Shell32.dll
DisableRegistryTools
Software\Microsoft\Windows\CurrentVersion\Policies\System
2201
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1004
"%s" "%s"
Button
예(&Y)
unins000.aye
newdesk2
\unins000.aye"
SYSTEM\CurrentControlSet\Services\ALYac_RTSrv
ImagePath
제거
V3 Lite 제거
V3 Lite 
\Uninst.exe"
SYSTEM\CurrentControlSet\Services\V3 Lite Service
Debugger
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
V3LSvc.exe
V3LTray.exe
sgsvc.exe
AYUpdate.aye
ALYac.aye
AYServiceNt.aye
AYAgent.aye
svchost.exe
/f /t /im AYServiceNt.aye
open
taskkill.exe
/f /t /im AYAgent.aye
-------
------
\scvhostv.exe
isfile
file
isweb
update
curversion
vension
\systemInfomations.ini
GetAdaptersInfo
iphlpapi.dll
000000000000
yyyy
xxxxx
\\.\PciFtDisk
aaaaa
AVP.EXE
avp.exe
DogKiller.sys
vvvvvvvv
ssssssss

...

XXXKdDisableDebugger %ws...
dwPartOnePos:%08x..3
dwPartOnePos:%08x..2
gSectorsPerCluster:%d..1
dwPartOnePos:%08x..1
Send XXX Failed..%08x
Irp->CurrentLocation > 0
g:\wdk\inc\ddk\wdm.h
(InvokeOnSuccess || InvokeOnError || InvokeOnCancel) ? (CompletionRoutine != NULL) : TRUE
read size: %d..
gNtosBase is: %08x..%08x..%08x..
DriverEntry!
ata dr0 dev obj is : %08x...
szXXXSys: %s..%ws..
xxxx File is here,%08x..%08x..
zero xxx is: %08x..%02x
xxxx File is DWORD,%08x...
dwSectors: %d..
drv obj is : %08x...dev control:%08x...intern: %08x
file drv obj is : %08x...dev control:%08x...intern: %08x
dis:%08x...intern: %08x
recover dispatch routine ok...
ntice.sys
Irp->CurrentLocation <= Irp->StackCount + 1
Open File failed...%08x..
gDiskPos is: %08x..Cluster:%d...part offset: %08x..
StartingVcn  failed:%08x...
ExtentCount  failed:%08x...
xxx Res is: %08x...
MyIofCallDriver  failed:%08x...
pDevObj is: %08x...
IoGetBase failed:%08x...
ObReXXX  failed:%08x...
ZwReadFile  failed:%08x...
ntkrpamp.exe
ntkrnlmp.exe
ntkrnlpa.exe
ntoskrnl.exe
xxx address is: %08x....%08x...%08x
No found INit seg
init
ZwReadFile File failed...%08x..
ExAllocatePool Size...%08x..
File Size...%08x..
ZwQueryInformationFile File failed...%08x..
wsAtpiFile: %ws...
g:\pass\Driver\i386\Killer.pdb

VirusTotal result(s)
abc234x.exe.vir 26/42 https://www.virustotal.com/file/2d809b6 ... /analysis/