Jump to content

latest database not finding rustock rootkit/spam bot


Recommended Posts

Greetings. New forum user, long time app user.

I have a laptop that (according to the DNSBL report I got from mxtoolbox.com) is infested with the Rustock rootkit / spambot malware application. I have run a full scan of the system using Malwarebytes Anti-Malware which yielded zero results.

I would certainly like it to be detected as opposed to have to try other programs. Is there somewhere I can submit some information from the system to have this rootkit added to the list of detected malwares?

Link to post
Share on other sites

I would be glad to, but the rootkit portion of the spambot is very effective at hiding it. Not sure where to even start looking. But I will try.

Yikes, editing posts is disabled it would seem.

I think to clarify, by "not sure where to start" I mean I have already checked the usual registry suspects, as well as some forum posts where people are saying where to look for this particular one. The file they say is the key is lzx32.sys. I am unable to find that file anywhere on my system.

I can, however, direct you to a link with an analysis of it, if that is any help:

http://www.usenix.org/event/hotbots07/tech...ng/chiang_html/

I will try harder to find the file.

Link to post
Share on other sites

  • Staff

Ok lets break out a tool to see if we can find that file.

Go to this link.

http://www.gmer.net/

Download the gmer application. (download exe) button

After downloaded run it. It may detect the hidden file right away in red text. Note the path and filename (probably windir\system32\drivers) if its detected.

Click on the arrows tab up top after its done scanning and then go to to the files tab. Navigate on the left pane to the windows\system32\drivers

Then once you click on drivers in the left pane look on the right pane and see if you can find the file. Checking the only hidden box may help narrow it down. If its not hidden this will prevent from seeing it though so try first without it.

If you find it select the file and hit the copy button. Select where you want to copy it too and you will have to give it a name in the copy box like bad.vir or whatever you want. Dont name it the exact thing as the origninal file or the rootkit may hide it.

hit save. You can close gmer after that.

The using windows explorer go to where you saved it, zip it up and submit it.

Link to post
Share on other sites

Ok lets break out a tool to see if we can find that file.

Go to this link.

http://www.gmer.net/

Download the gmer application. (download exe) button

After downloaded run it. It may detect the hidden file right away in red text. Note the path and filename (probably windir\system32\drivers) if its detected.

Click on the arrows tab up top after its done scanning and then go to to the files tab. Navigate on the left pane to the windows\system32\drivers

Then once you click on drivers in the left pane look on the right pane and see if you can find the file. Checking the only hidden box may help narrow it down. If its not hidden this will prevent from seeing it though so try first without it.

If you find it select the file and hit the copy button. Select where you want to copy it too and you will have to give it a name in the copy box like bad.vir or whatever you want. Dont name it the exact thing as the origninal file or the rootkit may hide it.

hit save. You can close gmer after that.

The using windows explorer go to where you saved it, zip it up and submit it.

The system is not even booting now. I think I am going to do a fresh install to be safe.

I do have a backup of the system, though, so I will plan on finding this file and submitting it to you today or tomorrow. Incidentally I also found a program which claims to remove this rootkit here:

http://forums.majorgeeks.com/showthread.php?t=111077

Link to post
Share on other sites

When booting in safe mode, it stops at some .sys file. Sorry I forget which. I think this is unrelated and that the hard drive is on the way out. I just mean that I can't test things for you actively unfortunately.

Again I do have a full backup so I hope to find the file for you and submit it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.