Rootkit?

Ever heard of that ?

Until recently I didn't.
The story begins at my girlfriends computer where one of her kids recieved a mail from a friend with a attachment.
Avast antivirus immediate sounded the alarmbell and removed it, but the virus is present again at every startup.
Its called msdirectx.sys and is beeing placed in the username folder.

It spreads trough mail, sending itself to every adress in the adressbook.

Aparently it is a keylogger that phones home.

So far I found it prevents you from opening :
- Regedit
- Taskmanager
- Hijackthis

It had shutdown ZoneAlarm and prevents it from a manual start, it prevents a Antivirus update.

There seem to be a few variations.
Some manual cleaning was described
here but the variation I found had none of the described register entries.

Further Googeling brought me
here (there are some interesting links on that page).

Perhaps for the paranoids ( peers) it is good to run:
RootkitRevealer
and
F-Secure BlackLight
I certainly have these programs in my PC good health list from now on

So far I haven't been able to kill the virus, but I have another go at it coming weekend, I keep you updated

__________________
Het algemeen gnutella forum in Nederlands

**Update**

As it is such a well designed virus, and the rootkit element beeing stealthy.
All my known methods of deleting it failed.
It does not load when booting in safe mode, so there was nothing to go at that way
There was only 1 option left:
I formatted and reinstalled WinXP.

__________________
Het algemeen gnutella forum in Nederlands

http://search.symantec.com/custom/us/query.html

A Norton page for more info...



and

RaaF...

Two questions...

Why does there seem to be a .nl link here with this problem

and

what more have you learned ?

(Or, what more does anyone reading this thread have to share ?
This thread is NOT locked !!!

Please contribute !)

I have you tried getting ca Antivirus program? THis program really works for me. I had a simillar problem, were keylogger wants to dial out from pc, well, I downloaded the trial version of CA with all the extras, I couldn't believe my eyes. This program kicked butt. It also allows you to monitor all programs being started, what program wants to dial out to the internet and you have the option to click "yes" allow program to connect or "No" do not allow program to connect.

A window appears to the lower right corner of your pc, and btw this small window is not anoy you at all, because it allows you to have CONTROL of your pc. It is pretty cool. Try it. It also has alot of features, even for a trial verson it REALLY ROCKS!

It is always picking up virus left and right, also I would password protect your ca anitvirus program so no virus can turn it off. if you know what I mean. Also get the trial ver of Firewall, it didn't screw up my other firewall I have in my pc. Hope this helps. Sorry for the easay.

NOthing cant do anything to my computer even if its some new virus my great secret

she got hit with a virus. don't confused the kids on here. they don't know the difference between an anti-virus scanner and a spyware scanner. they think the spyware scanner gets viruses and the anti-virus scanner gets spyware. some av applications catch spyware, however in my experience, i left that to giant antispyware, now MS antispyware.


read this. it explains everything.

Quoted from Wikipedia

The key distinction between a computer virus and a root kit relates to propagation. Like a root kit a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus).

In the case of the root kit the payload may attempt to maintain the integrity of the root kit (the compromise to the system) --- for example every time one runs the root kit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the cracker (attacker) can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some root kits may add port knocking checks to existing network daemons (services) such as inetd or the sshd

A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general a root kit limits itself to maintaining control of one system.

A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the cracker/attacker through some sort of covert channel.

Of course there are hybrids. A worm can install a root kit, and a root kit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated

did you try turning off system restore? sometimes they will stay in the restore file and keep coming back.

Guys

Rootkits are the nastiest of online dangers that are around today, if caught they are difficult to get rid of and, as RAAF found out, will necessitate a full HD reformat and reinstallation.

RAAF if you are reading this you should, if possible, reformat your GF's drive at least seven times, that way you will be sure that it is gone. In the past, I have come across viruses that survive a normal (one-time) reformat and, as rootkits are more dangerous, it is possible that they can survive several reformattings but it is highly unlikely to survive (the MOD recommended) seven.

As I am paranoid about PC security, I intend to install F-Secure Blacklight (beta) over the weekend and see if I have any stealthed malware on my system.



UK Bob

UK , iv never run into any virus that has survived a reformat.
yes its tru that whan you reformat that all the files are still there , but there "dead" and the OS just sees them as blank space and they can onley be recovered with special file recovery programs.

and that is onley if they havent been overwriten...if somthing new (eg windows)has been written over the deleted files than the files that were there befor are history.

i dont know how much you know about computers UK but please correct me if im wrong...but if you ran into a virus that "survives" a "reformat" you may not have actualy reformated the drive...you may have just done a re install of windows or a "repair install". in wich case the virus would still be there because you dident compleatley erase the drive.

but if im wrong on this and you do know what your talking about and you did run into a virus that survives a compleat reformat, even then , 7 times?? if the virus dose somehow resurect itself, than a zero-fill and 1 reformat should complatley destroy any data/virus on the drive.

CRT

I would agree with that one reformat destroys most things, programs, data and everything else.

However, I have, in my time working on PCs, come across a virus that survived a reformat. Now whether that virus was still active or not I do not know but it was there on the hard drive waiting for my colleagues and I to re-install windows.

So, rather than take the chance of the virus being active I got NAV and deleted it.

Now, I will admit that I know very little about rootkits, other that they are worse than viruses or worms and are very difficult to eradicate and, from what I read this afternoon, even harder to spot.

The Ministry of Defense (MOD) recommends that a PC's HD should be reformatted seven times before being disposed of. Therefore, reformatting seven times will get rid of everything and make anything that was every on the HD unrecoverable and totally useless, i.e. nothing can survive.

I would also agree that zero filling a drive then reformatting it could be the same as reformatting it seven times but either way we are still talking about getting rid of something that is notoriously difficult to eliminate, namely being infected by a rootkit.

However, I will confess that I have never personally reformatted a HD seven times but I would if I had to.



UK Bob