Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 rootkit from hell


  • Please log in to reply
7 replies to this topic

#1 Nanuke

Nanuke

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 02 January 2012 - 02:17 AM

Well first off let me say that this rootkit is one the worst I've seen, and I've been repairing computers for over 30 years.
Let's get to it. TDL4 makes a hidden partition on your computer, and writes itself into your MBR, so you well get nowhere till you remove it from this two places.
I used Acronis disk management boot disk, and found and deleted the rootkit partition. It had made my primary partition inactive, and made itself the active partition, so remember to set your primary active. Then I booted from my windows disk, and opened the command console. Then run fixmbr, to replace the infected one. Next boot into safe mode, and run your anti-virus software. I used hit man pro, and then TDSSkiller, and finished off with combo fix. No more rootkit, or that's what my anti-virus says.

Hope this helps. This was how I spent my new years. If you know who wrote this thing, please give him/her a slap for me. Thanks

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:45 PM

Posted 02 January 2012 - 05:34 AM

Hello, and thank you for sharing your solution!

A word of caution though: Altering the partition table without understanding what you are doing may result in extensive damage to your computer and can lead to loss of all your data!
This rootkit variant does not alter the MBR code, so fixing the MBR is not necessary and will not have any effect either.

Finally, at BC we do NOT recommend the usage of combofix without supervision. This is an extremely powerful tool and may cause serious damage to your computer when used improperly.

If you are the victim of this rootkit and you are not sure how to remove it, best is to follow the Preparation Guide and start a topic containing the requested logs in the Malware Removal forum.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:45 AM

Posted 02 January 2012 - 09:26 AM

It seems you were infected by MAXSS rootkits.Yes,they make their hidden partition as active.FIXMBR will not work in this case.

#4 Nanuke

Nanuke
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 02 January 2012 - 09:57 AM

You're right. Don't use ComboFix unless you know what you're doing, and be very carful using Acronis, or Paragon to work on the partition. The virus makes its own non NTFS or FAT32 partition, and for that matter its not a Linux partition either. I tried the Guide, and didn't get anywhere, because even if I removed the rootkit, the partition was still there, and set active. My primary was inactive...Windows was booting from the virus partition, and using its own boot loader. If you don't boot from a clean CD you will never see this virus partition. This virus is new, and not something to take lightly. I've been thinking about this type of attack, and this rootkit might be able to attack ANY OS. By making its own partition it could load on any platform. Think about it. If this thing makes its own loader, then MAC's smartphones, or anything with an OS could be targeted. Linux has always been a safe place because even if a file was infected, it couldn't spread, and the same is true for Mac's (Mac's use a very modified version of Linux), but if this virus loads before the OS, then it can do anything it wants. Like I don't know...delete something, or maybe everything...I just got a chill. BC you need to get an infected machine, and look at the virus partition, because once you're in Windows, its too late. No utility will see, or remove this thing, and will reinstall everytime you boot. Please remember that this rootkit is not playing around, and is not like anything before it. I have not tried to reinstall windows on an infected machine, but I wonder if it will see the virus partition and delete it, or will this thing survive a reformat, and install...yea I know. 2012 is going to be a long year...

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:45 PM

Posted 02 January 2012 - 10:03 AM

To use correct terms, this is a rootkit, not a virus (it is the latest TDL4-like rootkit belonging to the TDSS family rootkits).
I do not think this rootkit can run on any non-windows platform (it is not compatible with other boot loaders like GRUB/GRUB2). The easiest way to fix it is using a linux live CD (personally I find Parted or a manual MBR replacement the simplest solution). I don't know yet of any tool under Windows that can remove this rootkit, but I suspect it won't be too long before tools like TDSSkiller get updated.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Nanuke

Nanuke
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 02 January 2012 - 10:21 AM

Just because they havn't writen a version for other OS's doesn't mean they aren't thinking about it. I think this is the first shot in a data war, and you are right, this is a rootkit, but I think its new...lets give it a name...TCL5...or how bout Jelly Fist...sorry...between new years, and this thing...not much sleep...getting a bit punchy.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:45 PM

Posted 02 January 2012 - 11:21 AM

It still does the same thing as most previous TDL variants, the difference is that, upon boot the MBR is patched in memory only, and not on disk. More information about the different TDSS variants can be found here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 firstcompsvc

firstcompsvc

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 11 February 2012 - 04:47 PM

Trying to remove a TDL4. Did a repair install of XP Pro SP2, still shows unknown partition02 active 1MB. Wanted to delete it in computer management, read more on it and someone recommended gparted so I downloaded that and made a boot cd. I have an OTL.exe boot cd wanted to use that to make my primary c drive active and delete the 1mb mbr partition. Guess I will have to follow the instructions on spyhammer.com to remove it as so far that is the only place I found that is very careful with the partition procedure. Don't want to rush into deleting active mbr partitions, need to know more about this TDL4 rootkit. Please post an exact removal instruction for this rootkit, unless you already have I didn't find it yet. How do people get this?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users