|
New strange Virus ,Please help ! |
Post Reply 
|
| Author | |
nima_bagheri 
Newbie 
Joined: 29 November 2007 Location: Iran Status: Offline Points: 37 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: New strange Virus ,Please help !Posted: 01 March 2012 at 7:13am |
|
Hey friends
In Past two weeks my team identifies a strange Computer malware in one of our client’s computer. As an anti malware Developer, we reported this computer malware to “Microsoft Malware Protection Center” And they said they were so interested to our identification, We contacted with Microsoft MMPC and CERT team and The person who contacted with us was “Tareq Saade” which is died in 19 Feb 2012 after he sent us his final email in 19 Feb 2012, http://www.redmond-reporter.com/news/140631323.html http://blogs.technet.com/b/mmpc/archive/2012/02/28/in-memoriam-tareq-saade.aspx We wanna doing this research to proud of him , This is the malware features : 1.The worm will blocked any kernel driver installation ( you cannot install any antivirus or anti malware with kernel capability ) 2.when you execute any program ,the worm will execute WMP.exe ( we checked the registry key like “HKEY_CLASSES_ROOT\exefile\shell\Cmd\command” This is not manipulated ! ) The worm worked with the other mechanism. 3. there is 2 “Explorer.exe” on the system ( one lunched by SVChost.exe and the other is normal ) 4.there is no installed kernel driver on it ( the system and windows are X64 platform ) All kernel drivers belong to Microsoft and the other vendors are signed. We ran the system with “Safemode” but the worm work in Safemode too. (The only way to bypass worm activity is “Safe mode with command prompt) 5.the worm installed a Debugger on the system. "IsDebuggerPresent" Function Result is true. 6. we try to enumerate processes with “EnumProcessModules” and “OpenProcess“ but the result is nothing. ( seems the worm hooked those functions too) 7. we try to install more than 20 antivirus product and kernel land tools but all these tools had failed to install own driver on the infected system. It seems virus ran another “Explorer.exe” and attached a module on it and try to block access to module list via a kernel driver technique. we try to use “NtQuerySystemInformation” and “NtQueryObject” to enum Kernel Drivers, but Virus driver hooked these function on the kernel land. we did not find out anything special and it seems all kernel Drivers are signed. And the final thing is we cannot install some Monitors Program like “API Monitor” or “Process Monitor” Both had failed to ran. if you guys see something like this please let us know , Thank you all , |
|
|
Security is the Key to Future
|
|
 |
|
|
nima_bagheri
Newbie
Joined: 29 November 2007 Location: Iran Status: Offline Points: 37 |
Post Options
Thanks(0)
Quote Reply
Posted: 16 March 2012 at 2:02pm |
|
after 2 weeks but not any idea !?
No one seen something like this ? |
|
|
Security is the Key to Future
|
|
|
|
|
ParavirtualizedRkt
Newbie
Joined: 23 March 2012 Status: Offline Points: 2 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 March 2012 at 9:53am |
|
How about Venak and Avenak bro?
|
|
|
|
|
skyxie
Newbie
Joined: 06 April 2012 Status: Offline Points: 1 |
Post Options
Thanks(0)
Quote Reply
Posted: 18 April 2012 at 4:59am |
|
does the
infected system has any special startup option in the boot.ini?
or maybe you need to get the infected drive mounted to another normal system and scan the file. |
|
|
|
|
nima_bagheri
Newbie
Joined: 29 November 2007 Location: Iran Status: Offline Points: 37 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 June 2012 at 7:23am |
|
this is not Flame Virus ,
|
|
|
Security is the Key to Future
|
|
|
|
|
Roselienjessie
Newbie
Joined: 25 July 2012 Location: US Status: Offline Points: 1 |
Post Options
Thanks(0)
Quote Reply
Posted: 25 July 2012 at 7:25am |
|
Did you perform a scan with the antiivrus?
|
|
|
|
|
engmod5
Groupie 
Joined: 02 March 2009 Location: Eltham, Vic, Oz Status: Offline Points: 79 |
Post Options
Thanks(0)
Quote Reply
Posted: 25 July 2012 at 10:47am |
|
Take the disk out and examine it in another system.
|
|
|
regards
derek |
|
|
|
|
Cephexin
Newbie
Joined: 07 May 2007 Location: Iran Status: Offline Points: 1 |
Post Options
Thanks(0)
Quote Reply
Posted: 04 October 2012 at 10:07pm |
Ah. I'm just seeing this thread right now. What about taking a memory dump snapshot? Have you tried to connect-and-debug through a remote machine? |
|
|
|
|
myazdi
Newbie
Joined: 05 October 2012 Status: Offline Points: 1 |
Post Options
Thanks(0)
Quote Reply
Posted: 05 October 2012 at 5:18pm |
|
Hi,
First of all let me ask you something, what do you want to do I mean you have 3 choices: 1-Use panda Activescan (online scanner) 2-Use Bootable CD (Bootable Scanner use command prompt) *A.Download this file, B.write it, C.booting this disk 3-or you can contact me, I can remotely help you to fix it. *(if you can't running executable files on windows you can do it in bootable CD environment you can run team viewer from this way) Best Regards
|
|
|
|
|
hypheni
Newbie
Joined: 24 October 2012 Location: India Status: Offline Points: 1 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 October 2012 at 10:36am |
|
Did you try to run GMER or RootRepeal with renamed original file to some random string exe. ?
These also uses some kernel driver and probably use API those you people already tried, still asking. If this helps.
|
|
|
|
|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options
nima_bagheri wrote: