Rootkit?

Ever heard of that ?

Until recently I didn't.
The story begins at my girlfriends computer where one of her kids recieved a mail from a friend with a attachment.
Avast antivirus immediate sounded the alarmbell and removed it, but the virus is present again at every startup.
Its called msdirectx.sys and is beeing placed in the username folder.

It spreads trough mail, sending itself to every adress in the adressbook.

Aparently it is a keylogger that phones home.

So far I found it prevents you from opening :
- Regedit
- Taskmanager
- Hijackthis

It had shutdown ZoneAlarm and prevents it from a manual start, it prevents a Antivirus update.

There seem to be a few variations.
Some manual cleaning was described
here but the variation I found had none of the described register entries.

Further Googeling brought me
here (there are some interesting links on that page).

Perhaps for the paranoids ( peers) it is good to run:
RootkitRevealer
and
F-Secure BlackLight
I certainly have these programs in my PC good health list from now on

So far I haven't been able to kill the virus, but I have another go at it coming weekend, I keep you updated

__________________
Het algemeen gnutella forum in Nederlands

**Update**

As it is such a well designed virus, and the rootkit element beeing stealthy.
All my known methods of deleting it failed.
It does not load when booting in safe mode, so there was nothing to go at that way
There was only 1 option left:
I formatted and reinstalled WinXP.

__________________
Het algemeen gnutella forum in Nederlands

http://search.symantec.com/custom/us/query.html

A Norton page for more info...



and

RaaF...

Two questions...

Why does there seem to be a .nl link here with this problem

and

what more have you learned ?

(Or, what more does anyone reading this thread have to share ?
This thread is NOT locked !!!

Please contribute !)

I have you tried getting ca Antivirus program? THis program really works for me. I had a simillar problem, were keylogger wants to dial out from pc, well, I downloaded the trial version of CA with all the extras, I couldn't believe my eyes. This program kicked butt. It also allows you to monitor all programs being started, what program wants to dial out to the internet and you have the option to click "yes" allow program to connect or "No" do not allow program to connect.

A window appears to the lower right corner of your pc, and btw this small window is not anoy you at all, because it allows you to have CONTROL of your pc. It is pretty cool. Try it. It also has alot of features, even for a trial verson it REALLY ROCKS!

It is always picking up virus left and right, also I would password protect your ca anitvirus program so no virus can turn it off. if you know what I mean. Also get the trial ver of Firewall, it didn't screw up my other firewall I have in my pc. Hope this helps. Sorry for the easay.

__________________
giddyup
Nor Cal-USA

NOthing cant do anything to my computer even if its some new virus my great secret

she got hit with a virus. don't confused the kids on here. they don't know the difference between an anti-virus scanner and a spyware scanner. they think the spyware scanner gets viruses and the anti-virus scanner gets spyware. some av applications catch spyware, however in my experience, i left that to giant antispyware, now MS antispyware.


read this. it explains everything.

Quoted from Wikipedia

The key distinction between a computer virus and a root kit relates to propagation. Like a root kit a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus).

In the case of the root kit the payload may attempt to maintain the integrity of the root kit (the compromise to the system) --- for example every time one runs the root kit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the cracker (attacker) can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some root kits may add port knocking checks to existing network daemons (services) such as inetd or the sshd

A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general a root kit limits itself to maintaining control of one system.

A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the cracker/attacker through some sort of covert channel.

Of course there are hybrids. A worm can install a root kit, and a root kit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated

did you try turning off system restore? sometimes they will stay in the restore file and keep coming back.

__________________

Guys

Rootkits are the nastiest of online dangers that are around today, if caught they are difficult to get rid of and, as RAAF found out, will necessitate a full HD reformat and reinstallation.

RAAF if you are reading this you should, if possible, reformat your GF's drive at least seven times, that way you will be sure that it is gone. In the past, I have come across viruses that survive a normal (one-time) reformat and, as rootkits are more dangerous, it is possible that they can survive several reformattings but it is highly unlikely to survive (the MOD recommended) seven.

As I am paranoid about PC security, I intend to install F-Secure Blacklight (beta) over the weekend and see if I have any stealthed malware on my system.



UK Bob

UK , iv never run into any virus that has survived a reformat.
yes its tru that whan you reformat that all the files are still there , but there "dead" and the OS just sees them as blank space and they can onley be recovered with special file recovery programs.

and that is onley if they havent been overwriten...if somthing new (eg windows)has been written over the deleted files than the files that were there befor are history.

i dont know how much you know about computers UK but please correct me if im wrong...but if you ran into a virus that "survives" a "reformat" you may not have actualy reformated the drive...you may have just done a re install of windows or a "repair install". in wich case the virus would still be there because you dident compleatley erase the drive.

but if im wrong on this and you do know what your talking about and you did run into a virus that survives a compleat reformat, even then , 7 times?? if the virus dose somehow resurect itself, than a zero-fill and 1 reformat should complatley destroy any data/virus on the drive.

__________________

CRT

I would agree with that one reformat destroys most things, programs, data and everything else.

However, I have, in my time working on PCs, come across a virus that survived a reformat. Now whether that virus was still active or not I do not know but it was there on the hard drive waiting for my colleagues and I to re-install windows.

So, rather than take the chance of the virus being active I got NAV and deleted it.

Now, I will admit that I know very little about rootkits, other that they are worse than viruses or worms and are very difficult to eradicate and, from what I read this afternoon, even harder to spot.

The Ministry of Defense (MOD) recommends that a PC's HD should be reformatted seven times before being disposed of. Therefore, reformatting seven times will get rid of everything and make anything that was every on the HD unrecoverable and totally useless, i.e. nothing can survive.

I would also agree that zero filling a drive then reformatting it could be the same as reformatting it seven times but either way we are still talking about getting rid of something that is notoriously difficult to eliminate, namely being infected by a rootkit.

However, I will confess that I have never personally reformatted a HD seven times but I would if I had to.



UK Bob

i dont know much about rootkits ether....this tread is the first i ever herd about them.

but i read the artical that kath put in ,one huge headache later i figured out that they are basicley bad programs that somehow hide themselfs from the user....and can be used as a an attemt at overkill DRM...

and after reading that ,i downloaded that "rootkit revealer" program and ran it ..and it came up with whol bunch of stuff....wich i have no idia what it was...but all the stuff was ether in the "temporary internet files" or in with my one game "far cry" folders and a couple registry entries ,but the PC isent acting any worse than normal, so im assuming (hope) all the stuff it found is harmless...

now my brain reely hurts...

__________________

i have never put a CD like that in my computer nor do i own any like that....nor will i buy any...

but i do alot of CD ripping myself from friernds collections etc and i dont want to expose my computer to it...

is there a way to simply not install or ignor it? like holding the shift key to stop it from auto running when a cd of this nature is inserted?? and will ripping programs just ignor the data track and rip the DA as normal???

__________________

Hello you wonderful people!

I ranted about Sony's rootkit elsewhere on this forum and pointed out a link in there that was an interesting read. That was this one: http://p2pnet.net/story/7025.

Now I see there is a lot of talk here about this rootkit uninstaller put out by Sony to "fix" the matter. The following read should prove interesting. I don't know if anyone here was aware of this particular situation, but if you aren't, this is a good read:

http://p2pnet.net/story/6984

Mmm I want a LINUX OS so bad I can taste it. I've got the PCLinuxOS disk, but not the resources to use it right now, hrrmph.

Peace.

__________________
Live well and enjoy life today, it's God's PRESENT to you!

u2btrfly
P.S. A good time to keep your mouth shut is when you're in deep water.
P.PS: The obscure we see eventually; the completely obvious, it seems, takes longer. ~ Edward R. Murrow

im not 100% ..but i think you can compleatly get around all this sony/DRM BS by clicking NO to the EULA thing when you put one of these discs in your computer.

by doing that you dont install any software. and if it DOSE install somthing without your "consent" even if you clicked no and dont agree to sonys licence crap....YOU can sue the pants off SONY.

(i think)

__________________

I'm not really worried about it. I don't burn CDs to my computer or save them to the computer. I do share what I've downloaded though, so that could be of concern if someone has the rootkit on their system.

Thanks for the advice.

__________________
Live well and enjoy life today, it's God's PRESENT to you!

u2btrfly
P.S. A good time to keep your mouth shut is when you're in deep water.
P.PS: The obscure we see eventually; the completely obvious, it seems, takes longer. ~ Edward R. Murrow