English

zondag 27 juni 2010

Whistler Bootkit (English)

Update: Combofix removes this infection.
Use Combofix only in collaboration with a Qualified Helper.


Please bare in mind that following instructions is for Qualified Helpers.
If You are not, take counseling at one of the Hijackthis fora.


Don't try this fix if Your system has a factory MBR or Multiboot.

Not long ago I came across the Whistler Bootkit in a Hijackthis log.

This very aggresieve malware takes over the PC.
Gmer, The Avenger 2, Combofix,.. didn't give any solution.
Nor did a System Recovery !

Next symptoms are visible:

Kaspersky :

HEUR: Trojan.Win32.Generic in de C:\System Volume Information folder

Dr Web :

smss.exe C:\System Volume Information\Whistler Win32.HLLC.Asdas.8 No recovery.Replaced

svchost.exe C:\System Volume Information\Whistler Win32.HLLC.Asdas.8 No recovery.Replaced


In Hijackthis, one can notice the following:

Running processes:

C:\System Volume Information\Whistler\svchost.exe
C:\System Volume Information\Whistler\smss.exe

or after a system recovery :

C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe
C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe


Combofix shows us :

------------------------ Other active processes------------------------
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\system volume information\_restore{d5fffa500b1b}\smss.exe

(or C:\System Volume Information\Whistler\svchost.exe
C:\System Volume Information\Whistler\smss.exe )



The Startup list of Hijackthis shows the following (if systemrecovery was used)

Windows NT 'Wininit.ini' :

PendingFileRenameOperations: C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exeC:\System Volume Information\_restore{d5fffa500b1b}\smss.exeC:\System Volume Information\_restore{d5fffa500b1b}\SMSS.EXEC:\System Volume Information\_restore{d5fffa500b1b}\SVCHOST.EXE




The PendingFileRenameOperations value under [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] wasn't present.

Combofix en The Avenger deletes the two files, but after a reboot they immediately came back..


Identification:

Intensive search on Google learns me that I have to deal with a Whistler Bootkit.


The solution:

Because this one hides himself in the bootsector , speed and accuracy is of the most importance.

Step 1

Downloadt bootkit_remover.rar (INFO)
Unzip the file.
Open the directory map bootkitremover en double click on remover.exe.
Post whats appears on the screen. (copy & paste)

Step 2

A infected bootsector looks like this:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
http://www.esagelab.com/
\\.\C: ->
\\.\PhysicalDrive0
MD5: 274955059efe9236c07688c5ff9242b2
Size Device
Name MBR Status
--------------------------------------------
74 GB
\\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on
some of your physical disks.
To inspect the boot code manually, dump the
master boot sector:remover.exe dump [output_file]
To disinfect
the master boot sector, use the following command:remover.exe fix



This line gets my immediately attention : \\.\PhysicalDrive0


Before moving on with the repair, doublecheck this with MBRcheck:

Download MBRCheck.exe towards your desktop.
Dblclick MBRCheck.exe.


If You get a message rapport, typ N and Enter.
Enter again.

On your desktop You will find MBRCheck_mm.dd.yy_hh.mm.ss .

If it look something like this :



\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: MAXTORSTM380815AS, Rev: 3.AAD

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: F238F1FE114296B6DC7716517DC1DADB3FF3D5C6


Done!


Then we are done !

Else, follow the next instructions.


We remove this by writing a batch with a switch for remover.exe :




@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

By executing this batch, the PC has to reboot immediately.
Its is very important that the TS does this because of the possibility of reinfection.

One can also implement the DOS command SHUTDOWN -r into the batch:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
SHUTDOWN -r
EXIT

After a reboot, ask the TS to run remover.exe again and let him post the remover.exe log.


If everything was going ok, the log must look like this:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
http://www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Double check it with Gmer and Hijackthis.

Its recommended to let the TS change his passwords.

Emphyrio :)

Thanks to Marckie for support me with this difficult infection .

Geen opmerkingen:

Een reactie plaatsen

Opmerking: alleen leden van deze blog kunnen een reactie plaatsen.