[Brookit]

Mayachok Hooks INT8 to Dodge Emulators

[Aleksandra]

http://blogs.technet.com/b/mmpc/archive ... tacks.aspx

[thisisu]

Is this bootkit known to infect Recovery partition?

Code: Select all

Disk ID: 0DA018DE

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            17 GB  1024 KB
  Partition 2    Primary            100 MB    17 GB
  Partition 3    Primary            100 MB    17 GB
  Partition 4    Primary            913 GB    17 GB

09:56:56.0205 13160  \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - will be cured on reboot

http://www.bleepingcomputer.com/forums/ ... -with-mse/

Notice how TDSSKiller which found the infection only listed 3 partitions on disk 0 whereas other logs show 4 partitions on disk 0. Also note 2 100MB partitions (may be user error but is rare to see I think). A new log listing partition details would solve mystery for me but not working this thread.

[EP_X0FF]

I don't think so.

anything from this

1) full physical memory dump of this machine
2) all logs from MSE with detections please
3) screenshot from WMI computer management -> disk management console listing all partitions Windows detects
4) put machine offline and dump all VBR's for inspection
5) try Windows Defender Offline

[thisisu]

2) all logs from MSE with detections please

I think this is what you're looking for. It was in the thread above but I've attached it for review.

[EP_X0FF]

2) all logs from MSE with detections please

I think this is what you're looking for. It was in the thread above but I've attached it for review.

Any chance you can:

1) dump this partition?
2) scan offline?

[thisisu]

2) scan offline?

Here is a scan from a tool called ListParts that was performed offline before the infection was removed by TDSSKiller

I attached the resulting log here for easier access but its contents can also be found @ post #22 of the thread.
Thanks for looking into this.

[EP_X0FF]

So TDSSKiller removed Cidox and after this MSE still detects it in VBR?

[thisisu]

So TDSSKiller removed Cidox and after this MSE still detects it in VBR?

No. Once TDSSKiller found and removed Cidox, MSE stopped reporting/detecting it. MSE kept detecting it but wasn't able to fix alone.

Notice the errors below from MSE log:

Code: Select all

Start time:‎07‎-‎15‎-‎2013 22:36:19
Threat Name:Trojan:DOS/Rovnix.D
Threat ID:2147680143
Action:remove
!ERROR
Resource action complete:Removal
Schema:boot
Path:\\.\PHYSICALDRIVE0\Partition1 (NTFS)
Threat ID:2147680143
Resource refcount:1
Result:1260
!ERROR
Finished threat ID:2147680143
Threat result:1260
Threat status flags:385
Finished threat actions
End time:‎07‎-‎15‎-‎2013 22:36:19
Result:0
Beginning threat actions
Start time:‎07‎-‎15‎-‎2013 22:36:19
Threat Name:Trojan:DOS/Rovnix.D
Threat ID:2147680143
Action:quarantine
!ERROR
Resource action complete:Quarantine
Schema:boot
Path:\\.\PHYSICALDRIVE0\Partition1 (NTFS)
Threat ID:2147680143
Resource refcount:1
Result:50
!ERROR
Finished threat ID:2147680143
Threat result:50
Threat status flags:385
Finished threat actions
End time:‎07‎-‎15‎-‎2013 22:36:19
Result:0

[EP_X0FF]

WDO can handle it, not MSE itself.