New Alureon Bios Rootkit un-removable

[Galdorf]

EEk i have 6 more with same thing at least this time i know what to do to get rid of it it seems to be hiding a new version of zeus bot this stuff seems to be spreading like wildfire.

 

[joydivision]

I am more a bit worried that you have so many with this rootkit when other people haven't seen it. Either its a local infection in your town spread by USB sticks or we are all doing something wrong.

 

[MobileTechie]

Galdorf gets every undetectable, unremovable, bleeding-edge infection possible but then detects and removes them.

I'm struggling to find confirmed reports of bios rootkit infections in the wild yet you have 6 of them already.

What the heck is happening in your town? Do you live in Smallville or something?

 

[MLCS]

I had a version of Alureon in the shop a few weeks back, and it's a nasty enough bug to merit a nuke/pave in my opinion if the backup isn't huge. (It had miffed up almost all of the drivers, so I probably had over an hour work AFTER removing the bug just to try and fix damage done to the OS)

But mine wasn't a BIOS rootkit of any kind. The nuke/pave was completely clean.

 

[blackburgpchelp]

I am seeing a lot of Alureon/TDSS Variants lately. Seems like every machine I've cleaned lately has had it. Most have been MBR types, but I still haven't run across a bios one yet.

Good to keep it in mind though, and I'll watch for the signs. If it can be done, I believe the malware writers will do it.

-Rance

 

[iptech]

EEk i have 6 more with same thing at least this time i know what to do to get rid of it it seems to be hiding a new version of zeus bot this stuff seems to be spreading like wildfire.

This does seem to be very localised, have you investigated a possible common cause?

 

[MLCS]

Well a BIOS hack would have to be programmed for one particular type of BIOS. So I could see a BIOS virus maybe for a very wide used BIOS, I've heard of P4 Dell BIOS's being the main victim of these.

Aside from the MBR, major driver issues and a lot of registry cleaning I didn't see Alureon as a problem, and the machine I cleaned it from was a P4 Dell.

 

[MobileTechie]

This does seem to be very localised, have you investigated a possible common cause?

I think he should scan his USB stick!

 

[iladelf]

Which version of Hiren is the killcmos program on? I have a few, but don't remember seeing it. Haven't downloaded 11 yet.

 

[Banyon]

I just had one of these in my shop and it was a PITA to remove.

I don't believe it infects at a bios level by itself. From what I've been told is if you attempt a BIOS flash while the infected drive is still in that it can infect the BIOS. What I did to remove it was remove drive, slave in another PC for recovery and DBAN, while removed, flash the BIOS (just in case), then once done, put the freshly DBAN'd disk back in and reinstall...

 

[stro]

I just cleaned the worst (for me anyways) tdss4 infections. Kaspersky tdsskiller nailed it everytime, scanned with Kasp and BD live, MSE, Mbam, and a manual look. Everything was coming up clean. But just touch Windows update (which would fail) in the browser and bam, the mbr is reinfected. tdsskiller again, everything is clean. And clean after multiple reboots. I go in and reset ie 8, check for bho's and other crap. It is clean. Nothing out of the ordinary. Hit WU again, bam mbr virus. So finally re-run tdsskiller, then perform inplace upgrade (XP machine), hit WU, WU works again, and it is staying clean. What ever was reinfecting it must have got whacked by the repair-reload.

 

[joydivision]

What did you use to test if the MBR was clean?

 

[PcTek9]

I believe you Galdorf. Where did you get the 6 from? Are the bios's all identical in each machine? I am curious to know if someone has edited code this much...
* snap * they could be downloading it from the web FOR THE TYPE OF BIOS the system has - or had that not occurred to anyone ? There could also be mirrored sectors so that way out at the end of the drive somewhere there could be hidden sectors filled bios infectors for many types of bios.
I used to use this little freebie disk editor program from microsoft b/c it could edit drives directily even protected, without any errors and write to them... If you can find it. It's sometimes handy. <wink>

 

[xacked]

I too believe Galdorf, his diagnostic technique is sound, I don't see any reason not to trust his assessment...

PcTek has already asked the same questions I would ask.