Jump to content


Photo
* * * * * 15 votes

MBAM wont install or will not run.(TDL2 Rootkit-WinNT.Alureon)


  • Please log in to reply
No replies to this topic

#1 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,542 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 16 March 2009 - 11:52 AM

Hi all,

I have decided to spend sometime and create self help articles for known malwares that block MBAM from doing what it does best.

The problem is occuring because as we get better and more effective at cleaning infected computers then the bad guys single the effective tools out for special treatment so their creations can survive B)

So first off, the most prolific culprit currently as seen in our help forums!

TDL2 Rootkit infection aka WinNT-Alureon

Unremovable files with the following prefix's denotes it presence upon an infected computer.
TDSS
Seneka
GAOPDX
UAC
ovsft
kungsf
Skynet
MSIVX
hjgrui
wzszx
ESQUL
geyekr
vsfoce
H8SRT
4DW4R3
_VOID
PRAGMA

Some of the symptoms of the infection that may be seen to be occuring.
1)MBAM will not install or run if already installed.
2)Other security tools also will not install or run if already installed.
3)Some installed security softwares that are still able to run no longer are able to update.
4)Some well known security/vendor sites are inaccesible as they are being blocked.
5)MBAM or other tools keep detecting file(s) or registry keys but failing to permamently remove.
6)Hijacked search results.

In order to get the MBAM to operate to its full potential the rootkit driver at the heart of the infection has to be located and nuked.

No small feat when it is intentionally being hidden by design and not viewable by traditional method/tools but it can be done :)

Here is my quick fix guide to locating,identifying and killing the TDL2 driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.

Download the following tool and only use as directed!
Download here

Install RootRepeal and select *Files* then scan only.

Posted Image

When the scan has completed there will be a list of files generated.Some will be ok(legitimate files) but some will be related to the Rootkit and it's hidden payload of files.

Posted Image

You will need to identify which is the TDL2 driver only and here's how.

This is not as difficult as it appears because it will be 1 of files listed with a .sys extension.

It will also carry one of the following prefix's in its filename +random letters+ .sys extension.

TDSS
Seneka
GAOPDX
UAC
ovfst
kungsf
SKYNET
MSIVX
hjgrui
wzszx
ESQUL
geyekr
vsfoce
H8SRT
4DW4R3
_VOID
PRAGMA

*letters can appear in either upper case or lower case.

** the number of random letters vary so could be only a couple or upto 32 which has been seen so far.

***in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver.

UAC prefix + random characters in this case= ewsflctd and .sys extension

Since there is a level of randomization in the file naming protocol there are many computations of how the file will be named and the list will be exhaustive.

But here are some examples so hopefully you can see the pattern forming.

TDSSspax.sys
TDSSServ.sys
GAOPDXserv.sys
gaopdxohocrlokojvgccmieiquramguxlachqk.sys
UACmxegjtve.sys
UACd.sys
Senekarstpqyy.sys
ovfsthxkwpjtxfk.sys
kungsfxwrtceey.sys
SKYNEToyfjtpeo.sys
MSIVXwfjwbpbivasavbfjmtkibegxvnftiqxt.sys
hjgruisaroylnf.sys
wzszxthydgteuirn.sys
ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
geyekrhfgdvswdstsak.sys
vsfocebhwohxcl.sys
H8SRTyahsarpwrd.sys
4DW4R34DW4R3NtISsUJPOt.sys
_VOIDgfhdytduy.sys
PRAGMAd.sys

Once you have identified the TDL2 driver then use your mouse to highlight it in the Rootrepeal window after *Files* scan.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer!!!!

You will only need to attack the TDL2 driver as the rest once no longer being protected are easy pickings for MBAM :)

Next install and update MBAM and run a quick scan!

Allow it to delete what it detects and reboot immediately.

If you are not 100% confident in identifying the TDL2 driver then feel free to use Rootrepeal to generate an output log** and post it to a new topic in our HJT help forums.
http://www.malwareby...php?showforum=7

**To do this goto report tab then select scan.
Configure as below and when report(.txt file) is generated then copy and paste contents of the text file into a new topic and title it CLB driver infection.

Posted Image

We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users