3 replies to this topic

[Cynthia]

Hi!

I'm a beta member of the ImgBurn forum. Lately there have been a lot of reports on a virus/malware that makes the installed CD-ROM devices (like burners) invisible to Windows and programs like ImgBurn (www.imgburn.com). MBAM doesn't detect it.

This is what the author posted about this virus.

Quote

Well I finally found a copy of the virus that can cause the 'The maximum number of secrets that may be stored in a single system has been exceeded.' error during the device scan.

I stuck it on a laptop and had a little play around with a few tools to see what could detect it and remove it.

All my tests were performed with the virus already on the system. (So those apps that couldn't detected it *might* have stopped me from installing it in the first place had they have been installed/enabled).

GMER picks up on the service it uses to cloak everything else. You can disable the service (via the context menu), reboot and then delete it. ImgBurn works just fine after that.

avast AntiVirus finds it ok and recommends a boot time (like where boot time defrag or chkdsk normally run) virus scan - where it can (and does) then remove the bad files. It doesn't clean up the service entry in the registry - but that's not a real problem because the file no longer exists and so can't do any harm.

Dr.Web CureIt! doesn't see it (I could have sworn someone said it did!) - or at least not the particular variant I'd infected my machine with. It does appear to be able to scan the entire hdd though.

Symantec Endpoint 11 MR4 MP2 (latest as this time) doesn't see it. The full scan doesn't even work properly because it can't open the drive and scan the files - although it doesn't tell you about that! I only know that's what's happening because it says 'scan complete' having supposedly looked at 725 files or so - obviously there are far more than that on a C:\ !

MBAM doesn't see it.

RootRepeal finds a hidden driver (flagged in red), hidden files, stealth and a hidden service. I didn't manage to find a way to actually remove them with it though. You click wipe / force delete and it doesn't appear to do anything - scan again and they're still there.

So basically, out of that lot, the only ones that are really any use are GMER and avast. If the virus checked its own service (to see if it was enabled / disabled), I'm sure GMER would only be as useful as RootRepeal (i.e. to tell you there's a problem). I say this because the virus could very easily just re-enable the service again.

Sometimes the only way to get rid of these things is to know their names and remove them when they can't possibly be running - i.e. use Hiren's boot CD and Paragon Mount Anything to delete them outside of windows (or at boot time like avast - although that might not work 100% of the time if the virus is really low level). You could also hook the hdd up to another machine. You have to be careful with that though because some of the viruses put an autorun.inf file in the root of the drive, which would then install the virus on the clean machine as soon as the drive is connected.

I've attached the virus in a zip file for anyone that wants to have a mess around themselves to see if their AV can pick it up/remove it once it's installed.

The zip file password is: Infected

When the virus is active, you'll see this in the ImgBurn programs log:

 090609a.png   14.29K   1 downloads

Examples from programs that detects it.

 090609b.png   20.38K   1 downloads

 090609d.png   18.49K   1 downloads

This is when the virus is removed:

 090609c.png   10.71K   1 downloads

 virus.zip   87.09K   7 downloads

[Fatdcuk]

Hi Cynthia,

This is a very recent evolution of CLB driver (WinNT.Alureon),

We do have definitions to remove this particular variant from a pc but unfortunetly as with earliar versions they have blacklisted our software so we are effectively out of the chase

More reading here as to how to get MBAM back into the battle and remove this and other variants>>>
http://www.malwareby...showtopic=12709

[Cynthia]

Thanks for the reply, Fatdcuk!

From the posted guide link:

Quote

Symptoms of infection.
1)MBAM will not install or run if already installed.

Pasting in the replies from the author of ImgBurn.

Quote

MBAM scans the entire hdd just fine (well, it doesn't report any problems!)... it just doesn't find anything.

I'm sure the blacklisting they speak of is where the virus/malware prevents the program from loading - that is not what's happening here, or not for me anyway.

Some hours later:

Quote

oops, I have to correct myself. MBAM does now find the dodgy files when the virus is running and active on the machine.

Perhaps this 'evolution' version of the virus - got into the defintions update of MBAM?

Thanks for the help - much appreciated!

[Fatdcuk]

No problems the defs were already in the DB as i took c/o them myself last thursday

The CLB driver is using a mix of DOS attacks against MBAM software(&others)

In some cases the main exe's of softwares are exited when loaded into memory,these are bypassed by renaming the tools core executable to random name.exe

GAOPDX series saw them blocking our updater so someone could install MBAM and appear to have no update available on install(=default install Database only)+ software would run albeit with the old DB.

The last 2 Kongsf and Skynet both allow us to install,run and update but they perform an attack against the software when it is parsing the database for DDA attack.

In short it is editing our database to remove its detection and hence why we appear not to see it.

Every since we had 100% hit rate on first evolution of WinNT.Alureon(TDSS variant) the bad guys have been looking at ways to bypass our attack route on their malicious code.

It is an ongoing battle between us but as i say always if we nuke the CLB driver then MBAM will clean up the entrails 100% as the driver can no longer attack or subvert our detection and removal routines.

hth