mystery virus

[Guest]

[kesuki]

dad's machine is a 'custom' oem system.  ordered off the net, it's a standard retail motherboard.... which is why having to reset the cmos to get into the bios was so upsetting to me.  it wasn't configured to boot off cd's and the bios wouldn't load for me to reconfigure it _until after_ i reset the cmos. (i tried all the standard bios loadup keys all i was getting was a black screen that never showed post data or anything) the bios loading key worked fine after resetting the cmos. it was one of the ones i had tried many times over the time it took me to resort to clearing the cmos data.

and now i'm at my sister's for the holidays and the first thing i did was try to run gmer, but at certain points in the 'scan' the internet 'cuts out' google failed to load 2x times, and i was unable to log into an online game 2x times and was disconnected the 1 time i could connect.

[kesuki]

since i had wierd stuff happen i've got the dss and gmer logs for my sisters pc.

[grue155]

dad's machine is a 'custom' oem system.  ordered off the net, it's a standard retail motherboard.... which is why having to reset the cmos to get into the bios was so upsetting to me.  it wasn't configured to boot off cd's and the bios wouldn't load for me to reconfigure it _until after_ i reset the cmos. (i tried all the standard bios loadup keys all i was getting was a black screen that never showed post data or anything) the bios loading key worked fine after resetting the cmos. it was one of the ones i had tried many times over the time it took me to resort to clearing the cmos data.

I haven't encountered this myself, and I may be mis-remembering my readings, but this reminds me of cmos battery failure. It's an easy test, to pop a new battery in. Typically CR2032 button batteries these days. You've described his machine as relatively new (last 5 years), where I've had machines running almost 8 years and haven't hit a battery failure yet.

I've downloaded the dss and gmer logs. First eyeball check looks okay. As I get a chance later today I'll look at the logs more closely.

[grue155]

I've looked at the dss and gmer logs at bit more closely. Aside from a busy machine, the logs look clean. There looks to be a lot of stuff running around in the background: Logitech, Apple, McAfee, Nikon, and the usual variety of Windows processes. You might check Task Manager to identify the heavy hitters for CPU use, and for memory use.

and now i'm at my sister's for the holidays and the first thing i did was try to run gmer, but at certain points in the 'scan' the internet 'cuts out' google failed to load 2x times, and i was unable to log into an online game 2x times and was disconnected the 1 time i could connect.

Given the time of year, some parts of the Internet may  be under load, and so not be a responsive as expected. A "tracert" would show any network problems caused by congestion, or not, to be able to rule that out.

[kesuki]

yeah, it could have been her dsl acting up, normally its pretty good, i was going to check if the problem is 'reproducable' so far it hasn't been.. i guess that's good news.

so i was wondering, is there a program i can put on my 'scratch' system that will monitor for and prevent this rootkit from 'automatically' spreading?  I'm assuming that hips application control is not enough to stop the rootkit from infecting from 'corrupt' sources...  i would guess it's targeting vulnerabilities or buffer overflows to get around hips application control.. since the first thing i did was install security application, and my driver disks still infected my system until i finally noticed my driver cds had extra 'sessions.'  the reason i ask is because i want to make sure their digital camera's and thumb drives can perhaps be 'tested' on a scratch install before i 'zap' their data  and restore it via dvd-r's that are known to be clean.

[grue155]

There are several things that can be done to lock-down a WinXP machine. Anti-virus and HIPS techniques do monitor things, but are not 100% effective. The best combination that I know of, uses these kinds of techniques:

First, run everything you can as a limited user account. Running with administrator privileges is the same as Linux box running everything as root. WinXP runs NTFS, which has a very good permissions based security, but like root, running as administrator can just go around. Limited users have to obey the permissions.

Second, is to make full use of WinXP "software restriction policies". A detailed description is at http://www.mechbgon.com/srp/ , or of course, buried down in the Microsoft documentation. Its a way to say where things are allowed to be run from. I don't have much experience with SRP methods, as such things tend to get used in larger corporation environments.

As a variation, there is a product called "Deep Freeze", from Faronics at http://www.faronics.com/ which carries SRP a little but further. They target a corporate environment, but an evaluation copy might be adequate for quick security.

All of this is still running whichever anti-virus monitor you choose. While not a good idea to run two anti-virus systems at the same time, having a second anti-virus as an "on-demand" scanner can be  a good thing: "check file with scanner foo, and then scanner bar will do its job when I copy/move/use that file". The running anti-virus and HIPS will likely see the on-demand scanning as an attack, so you can get conflicts. You can try it and see what happens.

[seeker_]

On the Chkdsk results on a FAT32 drive I also get.

\WINDOWS\Prefetch\CHKDSK.EXE-2CC4C59D.pf  first allocation unit is not valid.
\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf  first allocation unit is not valid.
These results can change every time.

I  have no Trojans, Virus or Roottkits or your other symptoms.
Their is a major bug, surprise, surprise, with Chkdsk run inside windows
Only trust the results of Chkdsk c: /f when used on system restart.
 I found this forum discussion on the topic.

http://www.techsupportforum.com/microsoft-support/windows-xp-support/147621-windows-xp-home-edition-chkdsk-error.html

[kesuki]

been a while since i posted, because i haven't gotten around to 'fixing' my parent's system, i moved dad to 'linux' which is working fine, mom's pc is upstairs, and has to use wireless LAN for internet, so i showed them how to remove it, which they are doing whenevery they don't need internet on it.

But now the rootkit showed up on my system at home again, suddenly, on monday.  it happened when i had problems reading a 'dvd' that was commercially pressed, so i was repeatedly trying to use car wax to make the disc readable.  after about 2 tries, windows autorun stopped working.

I had been using DVD's i burned 2-3 years ago, they had avi files and were data dvd's some of them 'wouldn't read' under linux, so i thought the rootkit was on them, but no symtoms came back, from just watching the avi's on them.

specifically, the dvd i had problems reading was 'yu yu hakusho disc 2' i also had read yu yu hakusho movie 1, and card captor sakura dvd 1, all rented online.  i also reinstalled my dvd burning program, and movie watching software. however, i discovered that "DMA access" to all drives on the system had mysteriously become disabled(when i reinstalled watching software).  i suppect the 'dma disable' feature is how the rootkit monitors cd/dvd burning software and injects it's code into cd/dvd burn streams. 

i know it doesn't infect all dvd's and specifically, not one of the cds or dvd's i've burned with 'infrarecorder' have had a problem, unless i tried to burn them multi-session or 'burned on the fly', i suspect that it looks for multi session burns, because every multi-session i tried to burn with infrarecorder failed, also when infrarecorder doesn't have a image, it was failing sometimes, (although by default infrarecorder createds a temporary image file, and it might also have bugs with multi-session or on fly burning since both of those options have to be manually enabled)

yet many of my discs that i burned with nero from the past don't even read in linux, which made me think i've had a rootkit for years unknown to myself.  it would also explain why i had problems with hackers so easily being able to replace image files while i was chatting with them online... (something that basically resulted in my quest to remove any virus/malware on any system i'd been on in the past few years, which this thread is a part of)

also, i used the rootkit scanners mentioned, and dr web cure it, to try and scan the hd's of my dad's system, and neither one of them could find it, before i used 'dban' to nuke the drive and replace the one i 'loaned' to my dad so he could run linux.  i think the cmos battery in my dad's pc may be dying, because his system is the oldest one my parents run, and when i had to restart it, it took 3 'resets' for linux to load on the system.  I'll look into ordering a replacement battery for it, even if it is only 4 years old.

[kesuki]

okay had dad buy a new battery for his system, put it in, powered on, nothing, black screen (same problem i was having putting linux on it in the first place)  reset, same, killed power from back, powered on, still black, took out cmos reset jumper, and set it to reset.  then i get the screen where it asks you to press a key to set up the cmos, and it froze (not the first time it's done that)  so, i reset the system and got a 'cmos checksum error, defaults loaded'  message, and had to press f1 to load, and then linux booted no problems.   

if that system doesn't have a bios virus i have no idea what's wrong or why it's so tempermental.  one should not have to clear the cmos, and then reset when the cmos setup screen doesn't load every 2 reboots.  considering that i now suspect i've had rootkits for +3 years on these systems that's plenty of time to install a bios virus, specific to those machines.  my home pc didn't fix til i flashed it's bios, and then just from using 2-3 year old data dvds the virus symptoms started to come back.. (albeit only when i had trouble with a video dvd)

i'm definitely reflashing my mom's bios and i'm thinking i should with dad's pc too.

[kesuki]

ok when i tried to reflash dad's bios, before i got the new bios on there, same problem with restarting, had to cmos clear, then had to get the same 'cmos checksum error' to boot from the floppy, once i got the floppy booted from tried to 'save the old bios' but only had abour 300 k free, so i had to redo it without saving the old bios, and bam, every time i've restarted since, no problems.  i would have liked to have gotten the a dump of the whole bios, to submit it as proof of a 'bios virus' in the wild, but oh well. i'll try to make the boot floppy smaller for my mom's pc so i can hold a dump (there are a lot of useless files on the boot disc that winxp makes)

[kesuki]

Great news, kinda, I managed to backup the bios image from "mom's" pc, i had to use a second floppy, but boy was it worth it.  i copied the exact date and everything from the bios and looked it up on the manufacturer's website... so what did i find? 

(deleted):~/Desktop/blah$ md5sum old.bin
6860296502dc3049e506b93d26ede259  old.bin
(deleted):~/Desktop/blah$ cd ./u*1
(deleted):~/Desktop/blah/untitled folder 1$ ls
abitfae.bat  awdflash.exe  nf7d_16.bin  nf7d_16.txt  runme.bat
(deleted):~/Desktop/blah/untitled folder 1$ md5sum *.bin
f35052ec5755e782ab388b65c9b4b063  nf7d_16.bin

based on the information from the backup process, the 'nf7d_16.bin' should have been the same md5 sum as 'old.bin' which was the backup of the 'current' bios...  proof positive of a bios virus In-the-wild.

I am attaching the bin files to this post.  I'm really excited, I think i might be the 'first' documented 'bios virus' that replaces the bios with working code, rather than deleting it/replacing with garbage content.  i only included the bin files (the virus one, and the original one) i flashed to a newer bios, anyways.

Mod Edit : Live malware sample removed. Please do not attach live malware to forum postings. Please forward sample to malwaresubmit[ at ]avlabs.comodo.com. thanks and congrats on getting things working again.

[aditya_dmj]

there is No viruse in your system your MB does not initializes USB HD at Boot time.
TRy formatting your HD using Bart PE. Then reinstall windows.

[DanaJone1]

My question is: Just what in the hell were you doing lurking at a hacker site in the first place?!  The very first thing they do is scan you to see if you have any exploits they can use, then they dl anything & everything they can to your pc.
I had a friend that wanted to check out a hacker site, I told him not to, he did anyway, looked around a few minutes (according to him) and guess what, the next thing you know, his pc was a zombie bot, ****t'n spam & virus infected email everywhere. Took him days to reformat & reinstall everything to get rid of the bugs.
You gotta be more cautious, look at all the trouble you went through, you have spent months and I dont know how many hours on this thing. I hope others reading this realize that there are some malicious sites out there that can do some real damage to your pc without you even realizing it, and it could take days or weeks to repair the damage.

Anyway, good luck, hope you got your pc's fixed and I also hope you dont go back to lurking hacker sites .
DJ

[3xist]

Topic Locked.

Reason: Out-Dated post.

Josh

[Tags:]