Rootkit Virus

Started by john, Jan 13, 2008, 20:44:02

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

john

Jan 13, 2008, 20:44:02
I saw this on the BBC news technology website regarding a Windows Rootkit Virus : http://news.bbc.co.uk/1/hi/technology/7183008.stm


If you follow the link to the GMER webpage you can navigate to download the 'catchme.exe' utility that detects if your machine has been infected, or click on the link here : http://www.gmer.net/catchme.php

I downloaded the 'catchme.exe' file and executed it as 'administrator'. After running it, it produced the following log file on my machine :

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  DLCXCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16........
scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Presumably if it reports that it has detected a virus then you will want to remove it. If you follow this link http://www2.gmer.net/mbr/ it gives (technical) details about the virus and near the bottom it says :

'To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr.'

However the Windows "Help and Support Centre" (accessed by 'Start -> Help and Support' on your PC) has the following note regarding 'fixmbr' :

"If an invalid or nonstandard partition table signature is detected, you will be prompted whether you want to continue. If you are not having problems accessing your drives, you should not continue. Writing a new master boot record to your system partition could damage your partition tables and cause your partitions to become inaccessible."

Fortunately my machine appears not to have not been infected but if it was I'm not sure whether I'd want to use the 'fixmbr' command in the recovery console after reading the above warning.

Simon

#1
Jan 13, 2008, 21:02:13
Many anti-virus programs also detect and remove rootkits now, although I've never had one to see the results of it's removal.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

john

#2
Jan 13, 2008, 21:17:22
Quote from: Simon on Jan 13, 2008, 21:02:13
Many anti-virus programs also detect and remove rootkits now, although I've never had one to see the results of it's removal.

Hi Simon, according to the BBC article it appears that many Antivirus programs do not detect/remove this particular one ('meboot').

from the article :

QuoteAnalysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can re-install these associated programs if they are deleted by anti-virus software.

Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect its presence. Mebroot cannot be removed while a computer is running.

Simon

#3
Jan 13, 2008, 21:36:05
Hmm... thanks John.  Might run the tool.  :)
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Sebby

#4
Jan 13, 2008, 21:52:57
I've fun fixmbr several times and never had a problem, but I suspect it could potential cause a major headache!

Rik

#5
Jan 14, 2008, 00:05:59
It's one of those "If it works, it's great, but if it doesn't, then start from scratch" utilities.
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.
Print
Go Up Pages1
User actions