Jump to content

Attacks Malwarebytes & Ad-Aware, survives low level format


Recommended Posts

Well, this is a good one. This virus not only attacks Malwarebytes (makes it impossible to install Malwarebytes but also infects it if you manage to install it) but also attacks Ad-Aware (again, makes it virtually impossible to install, but if you get around that, then it won't run) but the really impressive thing is, it actually survived a full low level format (used Linux to literally write zeroes to every single sector . . . and it survived!).

So, some specific details followed by a Hijack This log, a Gmer log, a DDS log and a ComboFix log:

Whatever this is, it directly attacks Malwarebytes (but does NOT attack Spybot or Avira) - in the full blown infection (prior to low level formatting the infected hard disk), it was impossible to install Malwarebytes without changing the name of the Malwarebytes install program to something else - attempting to install Malwarebytes without a name change generated an error message of MBAM_ERROR_LOAD_DATABASE (0,5).

Also, just to be sure, after Malwarebytes installation, I changed the Malwarebytes executable (Mbam.exe) name to something else (in this case, explorer.exe)

BUT even after all of that, Malwarebytes crashed during scanning giving, in one instance, the error message of MBAM_ERROR_CHECK_INFECTED (0,7).

Also, a side symptom - by cutting and pasting the error message, "MBAM_ERROR_CHECK_INFECTED (0,7)" into Google search, once I actually located a web page with that error message, the virus actually shut down the browser (Firefox) the second it recognized "MBAM_ERROR_CHECK_INFECTED (0,7)" on the web page!

It also attacks Ad-Aware: during install from hard disk, it will say that the actual install file is corrupt and it will fail (after multiple attempts, it did manage to get slightly further, and then informed me that a .cab file was corrupt and then failed). However, if installing the exact same file from a CD (so that whatever is attacking it can't corrupt the actual install file), THEN it will install.

However, even if you do get it to install and update, then it won't run. Instead, it will attempt to load (screen message: "Loading...") and then crashes with a pop up window (Connection Error) stating that Ad-Aware "Failed to connect to service" and the program crashes.

But here's the fun part: after literally zeroing out every single sector on the previously-infected hard drive, and then doing a fresh install of Windows XP SP2, guess what? The virus was not only still there!

Here's what happened. After (again) literally writing zeroes to every single sector of the hard disk)(this low level reformatted hard disk had been previously infected with this unknown virus) and with a fresh brand new install of Windows (Windows XP, SP2), the very first thing I did was to use Internet Explorer to go straight to Mozilla.org to download Firefox, and simultaneously go to Download.com to download Ad-Aware.

In BOTH cases, after going to the download page for both programs, Internet Explorer informed me that it "can't download" either program, so the virus actually recognized what I was doing and prevented me from downloading (!), i.e., on a just-low level-formatted hard disk with a fresh install of Windows XP SP2, the virus survived (!!) AND was still able to tell when I was trying to download Ad-Aware or Firefox (!!!).

Again, however, by copying the install programs for Firefox and Ad-Aware onto a CD from another uninfected computer, I was able to install both Firefox and Ad-Aware from CD (same for Malwarebytes).

On the newly-formatted hard drive/Windows WP SP2, after installation from CD only (NOT from hard disk), Firefox now works and Malwarebytes runs without the problems of the pre-reformatted HD (see paragraph 2 above) yet it doesn't find anything (I also used Firefox to download and install Avira, but Avira doesn't find anything either). But even though Firefox and Malwarebytes appear to work on this system, the important part of that sentence was I had to install BOTH Malwarebytes and Firefox (and Ad-Aware) from CD - installing Malwarebytes or Ad-Aware from the hard disk itself was (and still is) impossible.

Ad-Aware, on the other hand, after the install from a CD and updating, will still NOT run. It will attempt to load (screen message: "Loading...") and then crashes with a pop up window (Connection Error) stating that Ad-Aware "Failed to connect to service" and the program crashes.

Again, keep in mind that this is on a just reformatted hard disk (low level format with zeroes written to all hard disk sectors - we reformatted the hard drive on a Linux machine) with a fresh install of Windows XP SP2.

A quick check of Google shows that there are recent specific viruses (the latest Koobface, Zeus and a very new unnamed virus) that both attack Malwarebytes (and Ad-Aware) and take advantage of techniques to survive low level formatting (i.e., the virus writes itself to a sector and then tells the hard drive that that specific sector is a bad sector and the hard drive will then add it to the hard disk defects list and literally skip over the virus hiding location thereby allowing it to survive even low level reformat).

Finally, a possible side symptom: I can no longer write to CDR's or DVDR's on the infected machine. When I use Windows to write to a CDR, it will write to CD but in the last 5% of the process, it always fails to close the CD so the CD is now written but useless. Alternatively, if I use something like Nero, it says ANY blank CDR is actually full and will refuse to even try to write to it.

Also, if you try to copy something from a locked formatted floppy disk, it won't let you copy. But if you unlock the disk (allowing the virus to infect the floppy), THEN it lets you copy (classic virus symptom).

But that's about it for symptoms (at least the ones I've noticed).

So, does anyone know how I detect this and how I can get rid of it? Especially since it can survive a low level format, this should be rather interesting.

Here's all those logs:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 3:15:37 AM, on 10/18/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Nightshift\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir

Desktop\avgnt.exe" /min

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) -

Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH -

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

--

End of file - 1740 bytes

=========

GMER rootkit scan log:

GMER 1.0.15.15319 - http://www.gmer.net

Rootkit scan 2010-10-18 04:49:07

Windows 5.1.2600 Service Pack 2

Running: eveib4vk.exe; Driver: C:\DOCUME~1\MICROS~1\LOCALS~1\Temp\ufldyaob.sys

---- System - GMER 1.0.15 ----

SSDT F8C61AB6

ZwCreateKey

SSDT F8C61AAC

ZwCreateThread

SSDT F8C61ABB

ZwDeleteKey

SSDT F8C61AC5

ZwDeleteValueKey

SSDT F8C61ACA

ZwLoadKey

SSDT F8C61A98

ZwOpenProcess

SSDT F8C61A9D

ZwOpenThread

SSDT F8C61AD4

ZwReplaceKey

SSDT F8C61ACF

ZwRestoreKey

SSDT F8C61AC0

ZwSetValueKey

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[676]

ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program

Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat

fltMgr.sys (Microsoft Filesystem Filter

Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

=========

DDS log:

DDS (Ver_10-10-10.03) - NTFSx86

Run by Nightshift at 23:56:21.13 on Tue 10/19/2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.388 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\RunDll32.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Nightshift\Desktop\dds.scr

============== Pseudo HJT Report ===============

mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\micros~1\applic~1\mozilla\firefox\profiles\8tync1f1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-17 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-17 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-17 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-17 60936]

R3 hpt4qic;hpt4qic;c:\windows\system32\drivers\hpt4qic.sys [2010-10-16 5760]

=============== Created Last 30 ================

2010-10-18 05:47:18 -------- d-----w- c:\windows\system32\NtmsData

2010-10-18 05:40:08 -------- d-----w- c:\docume~1\micros~1\applic~1\Avira

2010-10-18 05:12:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-10-18 04:49:54 -------- d-----w- c:\docume~1\micros~1\locals~1\applic~1\Sunbelt Software

2010-10-18 04:45:13 -------- dc----w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-10-18 04:44:30 -------- d-----w- c:\program files\Lavasoft

2010-10-18 02:57:57 -------- d-----w- c:\docume~1\micros~1\applic~1\Malwarebytes

2010-10-18 02:39:29 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-10-18 02:39:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-10-18 02:37:18 -------- d-----w- c:\docume~1\micros~1\locals~1\applic~1\Mozilla

2010-10-18 02:30:48 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-10-18 02:30:46 -------- d-----w- c:\program files\Avira

2010-10-18 02:30:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-10-18 02:29:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-10-18 02:29:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-10-18 02:29:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-10-18 02:29:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

============= FINISH: 23:58:12.88 ===============

=========

ComboFix log:

ComboFix 10-10-19.02 - Nightshift 10/20/2010 0:08.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.366 [GMT -7:00]

Running from: c:\documents and settings\Nightshift\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/17/2010 7:30 PM 135336]

R3 hpt4qic;hpt4qic;c:\windows\system32\drivers\hpt4qic.sys [10/16/2010 8:50 PM 5760]

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Nightshift\Application Data\Mozilla\Firefox\Profiles\8tync1f1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-CmPCIaudio - CMICNFG3.cpl

.

Completion time: 2010-10-20 00:16:49

ComboFix-quarantined-files.txt 2010-10-20 07:16

Pre-Run: 246,700,527,616 bytes free

Post-Run: 246,703,337,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F01DC155E5F661BABD2F02E7DE9AD790

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.