Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Amazing New exploit


  • Please log in to reply

#1
larrybolton

larrybolton

    New Member

  • Member
  • Pip
  • 1 posts

Hi, I've been a tech for 20 years but I've never seen any sort of malware like this and I was wondering if anyone has heard of it or has any experience...

 

In Windows 7, the exploit appears to be a trojan that literally uninstalls and replaces all program files, services, registry etc.  After gutting the system, it replaces the files with an entirely new OS that operates as a remotely controlled   'Virtual server' using a modified version of "Windows Virtual PC" system that apparently sends spam and logs all personal information. Many of these replacement files come from a website called : www.w3.org"

 

The virtual OS environment is very complete and detailed.. I was fooled for quite awhile until I realized that even my Google Chrome browser was 'sandboxed'.

 

Since "Windows"n isn't "Windows' anymore, there's no way to run a software tool to remove an infection, the whole OS IS the infection..

 

I made the mistake of copying this thing using a file manger booted up using Hirens.  I transferred the copy to clean offline old XP machine that I use for analysis and it must have had some sort of 'auto-run' feature that stays active because it re-configured that machine in under 5 minutes.  It even created an odd hidden fat partition to store it's core files.

I can't run conventional tools on this thing because it's 'virtual' and it basically decides what it wants to run and unless I boot from a bootdisk I have yet to understand how to shut down the virtual layer.

 

I've never seen anything this involved before and I haven't been able to find anything on the net about it..  Any ideas?

 

Thanks LB


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,446 posts
  • MVP

We had zero access a few years ago that created its own partition and modified the MBR.  Sounds like this is taking it one step farther.  I haven't seen ZA recently so I guess they have been developing a new version.  Can you run a FRST scan from a USB drive?

 

http://www.geekstogo...l/#entry2151691

 

Can you use Hirens to get a copy of the MBR, zip it up and attach it to a reply?


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP