Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - New strange Virus ,Please help !
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

New strange Virus ,Please help !

 Post Reply Post Reply
Author
Message
nima_bagheri View Drop Down
Newbie
Newbie


Joined: 29 November 2007
Location: Iran
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote nima_bagheri Quote  Post ReplyReply Direct Link To This Post Topic: New strange Virus ,Please help !
    Posted: 01 March 2012 at 7:13am
Hey friends

In Past two weeks my team identifies a strange Computer malware in one of our client’s computer.

As an anti malware Developer, we reported this computer malware to “Microsoft Malware Protection Center”
And they said they were so interested to our identification,

We contacted with Microsoft MMPC and CERT team and The person who contacted with us was “Tareq Saade” which is died in 19 Feb 2012 after
he sent us his final email in 19 Feb 2012,

http://www.redmond-reporter.com/news/140631323.html

http://blogs.technet.com/b/mmpc/archive/2012/02/28/in-memoriam-tareq-saade.aspx

We wanna doing this research to proud of him ,

This is the malware features :

1.The worm will blocked any kernel driver installation
( you cannot install any antivirus or anti malware with kernel capability )

2.when you execute any program ,the worm will execute WMP.exe
( we checked the registry key like
“HKEY_CLASSES_ROOT\exefile\shell\Cmd\command” This is not manipulated ! )

The worm worked with the other mechanism.

3. there is 2 “Explorer.exe” on the system ( one lunched by SVChost.exe and the other is normal )

4.there is no installed kernel driver on it ( the system and windows are X64 platform )

All kernel drivers belong to Microsoft and the other vendors are signed.

We ran the system with “Safemode” but the worm work in Safemode too.
(The only way to bypass worm activity is “Safe mode with command prompt)

5.the worm installed a Debugger on the system.
"IsDebuggerPresent" Function Result is true.

6. we try to enumerate processes with “EnumProcessModules” and “OpenProcess“
but the result is nothing. ( seems the worm hooked those functions too)

7. we try to install more than 20 antivirus product and kernel land tools but all these tools had failed to install own driver on the infected system.

It seems virus ran another “Explorer.exe” and attached a module on it and try to block access to module list via a kernel driver technique.
we try to use “NtQuerySystemInformation” and “NtQueryObject” to enum Kernel Drivers, but Virus driver hooked these function on the kernel land.

we did not find out anything special and it seems all kernel Drivers are signed.

And the final thing is we cannot install some Monitors Program like “API Monitor” or “Process Monitor”
Both had failed to ran.

if you guys see something like this please let us know ,

Thank you all ,
Security is the Key to Future
Back to Top
nima_bagheri View Drop Down
Newbie
Newbie


Joined: 29 November 2007
Location: Iran
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote nima_bagheri Quote  Post ReplyReply Direct Link To This Post Posted: 16 March 2012 at 2:02pm
after 2 weeks but not any idea !?

No one seen something like this ?
Security is the Key to Future
Back to Top
ParavirtualizedRkt View Drop Down
Newbie
Newbie


Joined: 23 March 2012
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote ParavirtualizedRkt Quote  Post ReplyReply Direct Link To This Post Posted: 23 March 2012 at 9:53am
How about Venak and Avenak bro?
Back to Top
skyxie View Drop Down
Newbie
Newbie


Joined: 06 April 2012
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote skyxie Quote  Post ReplyReply Direct Link To This Post Posted: 18 April 2012 at 4:59am
does the  infected system has any special startup option in the boot.ini?

or maybe you need to get the
  infected drive mounted to another normal system and scan the file.
Back to Top
nima_bagheri View Drop Down
Newbie
Newbie


Joined: 29 November 2007
Location: Iran
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote nima_bagheri Quote  Post ReplyReply Direct Link To This Post Posted: 20 June 2012 at 7:23am
this is not Flame Virus ,
Security is the Key to Future
Back to Top
Roselienjessie View Drop Down
Newbie
Newbie


Joined: 25 July 2012
Location: US
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote Roselienjessie Quote  Post ReplyReply Direct Link To This Post Posted: 25 July 2012 at 7:25am
Did you perform a scan with the antiivrus? 
Back to Top
engmod5 View Drop Down
Senior Member
Senior Member


Joined: 02 March 2009
Location: Eltham, Vic, Oz
Status: Offline
Points: 105
Post Options Post Options   Thanks (0) Thanks(0)   Quote engmod5 Quote  Post ReplyReply Direct Link To This Post Posted: 25 July 2012 at 10:47am
Take the disk out and examine it in another system.
regards

derek
Back to Top
Cephexin View Drop Down
Newbie
Newbie


Joined: 07 May 2007
Location: Iran
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote Cephexin Quote  Post ReplyReply Direct Link To This Post Posted: 04 October 2012 at 10:07pm
Originally posted by nima_bagheri nima_bagheri wrote:

Hey friends

In Past two weeks my team identifies a strange Computer malware in one of our client’s computer.

As an anti malware Developer, we reported this computer malware to “Microsoft Malware Protection Center”
And they said they were so interested to our identification,

We contacted with Microsoft MMPC and CERT team and The person who contacted with us was “Tareq Saade” which is died in 19 Feb 2012 after
he sent us his final email in 19 Feb 2012,

http://www.redmond-reporter.com/news/140631323.html

http://blogs.technet.com/b/mmpc/archive/2012/02/28/in-memoriam-tareq-saade.aspx

We wanna doing this research to proud of him ,

This is the malware features :

1.The worm will blocked any kernel driver installation
( you cannot install any antivirus or anti malware with kernel capability )

2.when you execute any program ,the worm will execute WMP.exe
( we checked the registry key like
“HKEY_CLASSES_ROOT\exefile\shell\Cmd\command” This is not manipulated ! )

The worm worked with the other mechanism.

3. there is 2 “Explorer.exe” on the system ( one lunched by SVChost.exe and the other is normal )

4.there is no installed kernel driver on it ( the system and windows are X64 platform )

All kernel drivers belong to Microsoft and the other vendors are signed.

We ran the system with “Safemode” but the worm work in Safemode too.
(The only way to bypass worm activity is “Safe mode with command prompt)

5.the worm installed a Debugger on the system.
"IsDebuggerPresent" Function Result is true.

6. we try to enumerate processes with “EnumProcessModules” and “OpenProcess“
but the result is nothing. ( seems the worm hooked those functions too)

7. we try to install more than 20 antivirus product and kernel land tools but all these tools had failed to install own driver on the infected system.

It seems virus ran another “Explorer.exe” and attached a module on it and try to block access to module list via a kernel driver technique.
we try to use “NtQuerySystemInformation” and “NtQueryObject” to enum Kernel Drivers, but Virus driver hooked these function on the kernel land.

we did not find out anything special and it seems all kernel Drivers are signed.

And the final thing is we cannot install some Monitors Program like “API Monitor” or “Process Monitor”
Both had failed to ran.

if you guys see something like this please let us know ,

Thank you all ,


Ah. I'm just seeing this thread right now.

What about taking a memory dump snapshot?
Have you tried to connect-and-debug through a remote machine?
Back to Top
myazdi View Drop Down
Newbie
Newbie


Joined: 05 October 2012
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote myazdi Quote  Post ReplyReply Direct Link To This Post Posted: 05 October 2012 at 5:18pm
Hi,
First of all let me ask you something, what do you want to do I mean you have 3 choices:

1-Use panda Activescan (online scanner)

2-Use Bootable CD (Bootable Scanner use command prompt)
*A.Download this file, B.write it, C.booting this disk

3-or you can contact me, I can remotely help you to fix it.
*(if you can't running executable files on windows you can do it in bootable CD environment you can run team viewer from this way)


Best Regards
Back to Top
hypheni View Drop Down
Newbie
Newbie
Avatar

Joined: 24 October 2012
Location: India
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote hypheni Quote  Post ReplyReply Direct Link To This Post Posted: 28 October 2012 at 10:36am
Did you try to run GMER or RootRepeal with renamed original file to some random string exe. ?

These also uses some kernel driver and probably use API those you people already tried, still asking. If this helps. 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down