Avast Rootkit Threat MBR Alureon-K

Wikikenkey

Waddler, not sure whether to start screaming "Yaaay - Gotcha!!!" yet, but the scan detected one threat which I think it then neutralised:

12:56:31.0656 3516 ============================================================
12:56:31.0656 3516 Scan finished
12:56:31.0656 3516 ============================================================
12:56:31.0703 1832 Detected object count: 1
12:56:31.0703 1832 Actual detected object count: 1
12:56:50.0593 1832 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
12:56:50.0593 1832 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
12:56:50.0593 1832 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
12:56:50.0609 1832 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
12:56:50.0609 1832 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
12:56:50.0625 1832 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
12:57:03.0187 1832 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
12:57:03.0343 1832 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
12:57:03.0531 1832 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
12:57:03.0734 1832 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
12:57:04.0000 1832 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
12:57:04.0203 1832 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
12:57:04.0375 1832 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
12:57:04.0500 1832 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
12:57:04.0515 1832 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
12:57:04.0515 1832 \Device\Harddisk0\DR0\TDLFS - deleted
12:57:04.0515 1832 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete

waddler_8

What TDSSKiller detected was the malware's hidden partition. We had already neutralised that previously with aswMBR to stop it booting from it.

We'll just quickly cross check that with aswMBR but it all looks good.

Run aswMBR again, but this time where it says AV scan choose (none) from the drop down menu. It should only take a very short while to complete.

Post the new log.

Wikikenkey

Gets even more exciting.

This is the new log

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-27 13:10:59

---

13:10:59.062 OS Version: Windows 5.1.2600 Service Pack 3
13:10:59.062 Number of processors: 1 586 0x207
13:10:59.062 ComputerName: ANGELA UserName: Angie
13:11:00.406 Initialize success
13:11:02.500 AVAST engine defs: 13012700
13:11:29.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:11:29.765 Disk 0 Vendor: ST360015A 3.33 Size: 57241MB BusType: 3
13:11:29.796 Disk 0 MBR read successfully
13:11:29.796 Disk 0 MBR scan
13:11:29.812 Disk 0 Windows XP default MBR code
13:11:29.812 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
13:11:29.812 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57208 MB offset 64260
13:11:29.843 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 117226305
13:11:29.843 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
13:11:29.843 Disk 0 MBR [SST] **ROOTKIT**
13:11:29.843 Disk 0 trace - called modules:
13:11:29.875 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:11:29.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8737fab8]
13:11:29.890 3 CLASSPNP.SYS[f76e3fd7] -> nt!IofCallDriver -> \Device\00000068[0x8735df18]
13:11:29.890 5 ACPI.sys[f762c620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8734ad98]
13:11:29.906 Scan finished successfully
13:12:11.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Angie\Desktop\MBR.dat"
13:12:11.062 The log file has been saved successfully to "C:\Documents and Settings\Angie\Desktop\aswMBR.txt"
13:13:10.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Angie\Desktop\MBR.dat"
13:13:10.203 The log file has been saved successfully to "C:\Documents and Settings\Angie\Desktop\aswMBR.txt"

Wikikenkey

Is partition 3 still infected?

waddler_8

As you can see from the first aswMBR log, the computer was booting from the malware's partition (signified by the 80 (A)) - that loaded the malware.

08:06:48.343 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
08:06:48.359 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 57208 MB offset 64260
08:06:48.375 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 2 MB offset 117226305
08:06:48.375 Disk 0 Partition 3 **INFECTED** MBRlureon-K [Rtk]
08:06:48.390 Disk 0 MBR [SST] **ROOTKIT**

We neutralised that so it booted from the correct partition, thus the malware will no longer load:

11:05:30.750 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
11:05:30.781 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57208 MB offset 64260
11:05:30.812 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 117226305
11:05:30.859 Disk 0 Partition 3 **INFECTED** MBRlureon-K [Rtk]
11:05:30.875 Disk 0 MBR [SST] **ROOTKIT**

Did you reboot after running TDSSkiller?

Wikikenkey

Oh okay. I didn't reboot after the last TDSkiller. Should I do that now?

waddler_8

Yes, reboot and run aswMBR again. Choose (None) from the AV scan menu.

I've got to go out shortly but will take a look in again later.

Out of interest, when you run aswMBR is the "Fix" button active or greyed out?

Wikikenkey

Will do thiis for you and will leave answer for when you get back.

Thank you.

waddler_8

I'll PM you my email address. Can you email me the file mbr.dat that'll be found on your desktop.

Wikikenkey

New log

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-27 13:54:10

---

13:54:10.968 OS Version: Windows 5.1.2600 Service Pack 3
13:54:10.968 Number of processors: 1 586 0x207
13:54:10.968 ComputerName: ANGELA UserName: Angie
13:54:16.593 Initialize success
13:54:18.218 AVAST engine defs: 13012700
13:55:20.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:55:20.781 Disk 0 Vendor: ST360015A 3.33 Size: 57241MB BusType: 3
13:55:20.796 Disk 0 MBR read successfully
13:55:20.812 Disk 0 MBR scan
13:55:20.828 Disk 0 Windows XP default MBR code
13:55:20.828 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
13:55:20.890 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57208 MB offset 64260
13:55:20.921 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 2 MB offset 117226305
13:55:20.921 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
13:55:20.921 Disk 0 MBR [SST] **ROOTKIT**
13:55:20.937 Disk 0 trace - called modules:
13:55:20.953 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:55:20.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8738bab8]
13:55:20.968 3 CLASSPNP.SYS[f76e3fd7] -> nt!IofCallDriver -> \Device\00000068[0x873732a0]
13:55:20.968 5 ACPI.sys[f765a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8736f940]
13:55:20.984 Scan finished successfully
13:56:48.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Angie\Desktop\MBR.dat"
13:56:48.343 The log file has been saved successfully to "C:\Documents and Settings\Angie\Desktop\aswMBR.txt"

"Fix" button was greyed out before scan but active after scan.
"Fix MBR" button was active before scan but greyed out after scan.

I have also sent you the "DAT" file. I am also popping away for a few minutes. Will be back.

Thanks