3 replies to this topic

[Dogen]

Hi Ade,

Here is the requested file from the following thread:
http://www.malwarebytes.org/forums/index.p...amp;#entry67248

When I looked at my driver directory, I had 127 other files that all share the same date/timestamp as this file.

Attached Files

•  pznnpjkb.zip   20.22K   6 downloads

[Fatdcuk]

Hi ya and thanks for uploading,

The Timestamp is because the installer for the driver will have borrowed that information from a legitimate file inorder to blend in.

VirusTotal upload is'nt conclusive as is *new* driver but searching the MD5 hash of the file reveals it is a unique file(not seen before).
http://www.virustotal.com/analisis/9dc3435...129dc68d7e1e706
http://www.google.co.uk/search?sourceid=na...44482d01974705c

This is a tell-tell sign that all is not well as any legitimate Microsoft driver would be well documented.

MBAM will be updated in the next 24 hours to remove this Rootkit.Sentinel variant driver

[Dogen]

Fatdcuk, on Mar 25 2009, 08:59 PM, said:

VirusTotal upload is'nt conclusive as is *new* driver but searching the MD5 hash of the file reveals it is a unique file(not seen before).

Oh lucky me!

Quote

MBAM will be updated in the next 24 hours to remove this Rootkit.Sentinel variant driver

Awesome! Thanks so much Ade. I hope I'll be able to put an end to this nasty business. Should I report this to McAfee? According to them, I'm clean as a whistle.

[Fatdcuk]

Yeah it might pay to send them that Driver but i will say the problem with RootKit.Sentinel is that this restoration driver is constantly being tweaked and hence why everyone will be having great difficulty tracking new variants

Many thanks again for sharing your sample