A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20244  by thisisu
 Sat Jul 27, 2013 7:54 pm
Is this bootkit known to infect Recovery partition?


Code: Select all
Disk ID: 0DA018DE

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Recovery            17 GB  1024 KB
  Partition 2    Primary            100 MB    17 GB
  Partition 3    Primary            100 MB    17 GB
  Partition 4    Primary            913 GB    17 GB

09:56:56.0205 13160  \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - will be cured on reboot

http://www.bleepingcomputer.com/forums/ ... -with-mse/

Notice how TDSSKiller which found the infection only listed 3 partitions on disk 0 whereas other logs show 4 partitions on disk 0. Also note 2 100MB partitions (may be user error but is rare to see I think). A new log listing partition details would solve mystery for me but not working this thread.
Attachments
MBR copy from thread.
(512 Bytes) Downloaded 42 times
 #20245  by EP_X0FF
 Sun Jul 28, 2013 3:31 am
I don't think so.

anything from this

1) full physical memory dump of this machine
2) all logs from MSE with detections please
3) screenshot from WMI computer management -> disk management console listing all partitions Windows detects
4) put machine offline and dump all VBR's for inspection
5) try Windows Defender Offline
 #20247  by EP_X0FF
 Sun Jul 28, 2013 3:50 am
thisisu wrote:
EP_X0FF wrote: 2) all logs from MSE with detections please
I think this is what you're looking for. It was in the thread above but I've attached it for review.
Any chance you can:

1) dump this partition?
2) scan offline?
 #20248  by thisisu
 Sun Jul 28, 2013 4:01 am
EP_X0FF wrote: 2) scan offline?
Here is a scan from a tool called ListParts that was performed offline before the infection was removed by TDSSKiller

I attached the resulting log here for easier access but its contents can also be found @ post #22 of the thread.
Thanks for looking into this.
Attachments
(6.36 KiB) Downloaded 41 times
 #20250  by thisisu
 Sun Jul 28, 2013 4:16 am
EP_X0FF wrote:So TDSSKiller removed Cidox and after this MSE still detects it in VBR?
No. Once TDSSKiller found and removed Cidox, MSE stopped reporting/detecting it. MSE kept detecting it but wasn't able to fix alone.

Notice the errors below from MSE log:
Code: Select all
Start time:‎07‎-‎15‎-‎2013 22:36:19
Threat Name:Trojan:DOS/Rovnix.D
Threat ID:2147680143
Action:remove
!ERROR
Resource action complete:Removal
Schema:boot
Path:\\.\PHYSICALDRIVE0\Partition1 (NTFS)
Threat ID:2147680143
Resource refcount:1
Result:1260
!ERROR
Finished threat ID:2147680143
Threat result:1260
Threat status flags:385
Finished threat actions
End time:‎07‎-‎15‎-‎2013 22:36:19
Result:0
Beginning threat actions
Start time:‎07‎-‎15‎-‎2013 22:36:19
Threat Name:Trojan:DOS/Rovnix.D
Threat ID:2147680143
Action:quarantine
!ERROR
Resource action complete:Quarantine
Schema:boot
Path:\\.\PHYSICALDRIVE0\Partition1 (NTFS)
Threat ID:2147680143
Resource refcount:1
Result:50
!ERROR
Finished threat ID:2147680143
Threat result:50
Threat status flags:385
Finished threat actions
End time:‎07‎-‎15‎-‎2013 22:36:19
Result:0
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 9