Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some findings on Security Guard 2012


  • Please log in to reply
4 replies to this topic

#1 bruceDavid

bruceDavid

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 06 October 2011 - 10:55 AM

Your initial solutions only take the top off the iceberg.
There is a rootkit file make of 10 random numbers-dot-10 more random numbers-dot-exe in the Windows folder.
There is a services file with random letters and numbers that points to this rootkit.
It screws up the header's of any file designed to remove the infection such that windows no longer recognizes them as programs.
The virus has also modified the ipsec.sys file such that when I tried running GMER it crashed with BSOD stating the ipsec.sys file as cause.
I replace both copies of the ipsec file (ddlcache & drivers folders) with known good copies and was able to get data from the GMER program.
Attached is the text file of this.
Would like some report on what this log file indicates. GMER mentioned data had been modifed by the rootkit.
Thanks

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-06 08:25:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1032GAX rev.AB221D
Running: gmer.exe; Driver: C:\DOCUME~1\Cheryl\LOCALS~1\Temp\pwlyapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF765B87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF765BBFE]
SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xF75F0496]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\mbam.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Program [912] 0x00400000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{7E66D726-8820-73A4-5321-9A2D699F06E5}\aLtf@ {@nTIed~Qah|y\BNXkBWeNHsydUBZ|y
Reg HKLM\SOFTWARE\Classes\CLSID\{7E66D726-8820-73A4-5321-9A2D699F06E5}\wzZnPtikUIdmt@ PxZeWeWaigquxfk{cDhCt?FWKmTXcE@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB54230$\4204200706 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\bckfg.tmp 823 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\L 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\L\iahonoel 75264 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\80000032.@ 71168 bytes

---- EOF - GMER 1.0.15 ----



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:35 PM

Posted 06 October 2011 - 12:29 PM

Sounds like some affiliates are bundling the Zero Access rootkit with it. The sample I had was not. It is actually not affecting the header, but changing the files perms so you do not have access to it. It does this to any program that attempts to scan the registry or files that this rootkit protects.

My suggestion is if you have the ZA rootkit, that you follow the steps here:

http://www.bleepingcomputer.com/forums/topic34773.html

You can also try TDSSKiller and see if that helps:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

#3 bruceDavid

bruceDavid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 06 October 2011 - 05:10 PM

We had tried the TDSSKiller and it was able to find the rootkit and services files the three times we ran it, but they were coming back after removal. Two programs questioned the IPSEC.SYS file and the problems appear to be solved once we replace that file with a known good copy.
For general information, this infection came in as a spoofed Java update. Also we found it was easier to deal with this problem by installing the hard drive as a 2nd drive in a different machine so the infected files weren't running. I might add this machine is a "junk" machine so we didn't care if it got infected too.
Thanks for your suggestions.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:35 PM

Posted 06 October 2011 - 05:24 PM

An even easier method is to boot up with the Recovery console. Saves the time of having to open computer and move the drive.

#5 bruceDavid

bruceDavid
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 08 October 2011 - 12:10 PM

Yes, but we have long cables that don't require removing the HDD. We normally would use Linux Puppy to add/remove/change files but adding the drive to external computer allows us to run the anti spyware/virus programs on that computer to scan the infected drive.
Appreciate your advice, always.
:thumbsup: :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users