Another Virut today, conflicker?

[JRDtechnet]

So I had another virut today, same exact one in my previous post.

As soon as I opened up autoruns and saw "s_reader.exe" and "ntos.exe" and then a ton of tmp files I knew what it was, didn't even bother running and scans. Nuke and Paved.

The most interesting thing here the creation dates of the files.

Both jobs the creation date of the virus files were EXACTLY the same, down to the minute, Friday April 24, 2009, 8:37am, both machines were unpatched (Windows 2000 sp4, Windows XP sp2) I wonder if this was the result of conflicker?

 

[Bankai179]

some of the tmp would of say worm...when the scare came out there were reports that people have files call worm. It might be a 50/50 chance of being conflicker

 

[ClickRight]

I haven't ran across it yet. Is it that bad where a N&P is needed?

In most cases, yes. From my own experience, once you "cure" the infected files (It mostly latches onto almost all EXEs on the system.) some files won't work properly or will still be infected. By the time you run all the scans, then repair the issue left behind by the files, you may as well just have formatted in the first place. That being said, I'm currently in the process of removing Virut from a machine that came in yesterday, and having good success.

 

[Bankai179]

Has anyone used NOD32 against this nightmare yet?

I just want to know did anybody experience and beat the nightmare and with what

 

[iptech]

I did one yesterday that had ntos.exe on it, once you pull out the rootkit DLLs it's pretty straightforward to clean off. Took around 3/4 of an hour. This one had pulled down rogue security software called XPPolice Antivirus and Malwarewiped 6.9 - these are the symptoms that the computer has been compromised, they will not be the cause. The cause was the rootkit agent TDSS.

Trying to remove rootkit originated attacks with scanner software will only deal the the symptoms, they never hit the cause. You have to use low level tools such as antihookexec, GMER and process explorer. Follow-up with Combofix and MBAM to restore registry settings and fish out any trojan remnants and job's-a-good-un. I also like to try to identify the originating cause of the infection so that I can advise the customer on how best to protect themselves in the future. In this instance it was my old friend Limewire that kicked the whole thing off.

 

[ClickRight]

Trying to remove rootkit originated attacks with scanner software will only deal the the symptoms, they never hit the cause. You have to use low level tools such as antihookexec, GMER and process explorer. Follow-up with Combofix and MBAM to restore registry settings and fish out any trojan remnants and job's-a-good-un. I also like to try to identify the originating cause of the infection so that I can advise the customer on how best to protect themselves in the future. In this instance it was my old friend Limewire that kicked the whole thing off.

Do you know of a guide where I can learn how to use antihookexec (new to me), GMER, and Process explorer for removing these types of infections?

 

[PatrickB]

In the security information I read and listen to, I have heard this worm called only Conficker (without the "L") and DownAdUp ("Ad" instead of "And"). Seems that searching on the misspellings is more likely to get less authoritative information. ... just a thought.

I have not needed to remove Conficker yet, but I would likely go to the list on the Heise Security website and use the list of tools there:
http://www.h-online.com/security/The-H-Security-Conficker-information-site--/features/113002.

• Sophos* - ssconftool_10_sfx.exe*
• Symantec* - FixDwndp.exe*
• F-Secure – f-downadup.zip
• McAfee* - S.T.I.N.G.E.R.exe
• Trend Micro - SysClean-WORM_DOWNAD.zip
• Kaspersky* - KKiller_v3.4.3.zip*
• BitDefender - bd_rem_tool.zip
• Eset (NOD32)* - EConfickerRemover.exe*

-- Patrick B.

 

[l337]

Has anyone used NOD32 against this nightmare yet?

yeap nod32 just nukes/deletes it

 

[iptech]

Do you know of a guide where I can learn how to use antihookexec (new to me), GMER, and Process explorer for removing these types of infections?

AntiHookExec is a command line tool so you just need to run it in front of the application executable, for example:

AntiHookExec C:\HJT\HijackThis.exe

There are plenty of resources on the net for GMER but your best bet is to start with the GMER website itself.

Process explorer is part of the Sysinternals suite of utilities that was originally developed by Mark Russinovich to address some of the shortcomings in Windows XP support from a lower level support perspective. A couple of years back the company was acquired by Microsoft so you're better off starting with the Sysinternals Microsoft Technet site. You should familiarise yourself with all of the Sysinternals tools, for the most part they are an essential part of any techy's toolkit. It was Russinovich who publicly brought to light the Sony rootkit debacle of 2006.

Bear in mind that tools such as AntihookExec can also be used by the virus writers to disable and render ineffective Anti-virus software and scanning tools which is why you should treat any"systemis clean" type messages from these with some caution.

For a good background on rootkit technology and how it's used to compromise systems on strongly recommend you read up on the core subject before you try and tackle them in the wild. I found the two books below to be good reading on the subject:

Rootkits: Subverting the Windows Kernel. Hogland & Butler, Addison-Wesley Professional, 2005

Rootkits for Dummies. Stevenson & Altholz, For Dummies, 2007

 

[Galdorf]

It's a rootkit you need to remove rootkit to clean it properly that said you need a good rootkit scanner, i have tried many seems unhackme is good but they are getting sneaky.
Now they are putting rootkits in bios this is getting crazy.

Best rootkit scanner i have seen to date is darkspy it sure finds a lot compared to others, i have had a few machines from customers with rootkits in the bios they can now actually run in the bios, i had to re-flash to get rid of it i have yet to see a scanner to scan bios.

What is new is ACPI rootkits there VERY HARD to find and remove.
http://www.wilderssecurity.com/showthread.php?t=138839

quoted from a hacking board:
"You are all wondering why your antivirus didn't detect the keylogger and why it can't find anything in your computer. You are infected with a fully undetectable trojan that also installs itself to your motherboard. So if you format your computer, it won't help. It also reinstalls itself from the motherboard to the harddrive on each boot."

​

 

[eggy53]

Found a "way" to check if you have the Conflicker virus, not sure if it work, but if someone is fighting it and can confirm if it does, here is the link http://www.stumbleupon.com/toolbar/#url=http%253A%252F%252Fwww.baylor.edu%252Fits%252Fsecurity%252Fconficker%252F

 

[Jager]

You guys really didn't hear about conficker...? It was a massive scare for April 1st... Blocks all antivirus/security websites. As far as the TDSS rootkit dlls, those aren't directly related to the Virut infection...I've been dealing with those rootkits and their variant UAC (on an XP machine) for a while now. The Virut, however, is a vicious infection that can only be healed with targeted scanners...your normal AV will just wipe out the file. Virut will attach to any EXE that is manipulated...so you plug in a flash drive and run a file...it's infected. Run the file from a CD, the file's infected in the RAM...only way to really clean it is externally. Any app you use to clean Virut locally is, ineveitably, infected.

I read somewhere (don't remember source) that you know you have Virut if your EXE files have grown by about 9kb (maybe MB?).