Win32 Bubnix rootkit virus

November 22, 2010 By

The Win32/Bubnix virus had been given several different names—Bubnix Virus, Rootkit/Bubnix.A, Gen:Rootkit.Nixoa.1, TR/Rootkit.Gen, and W32/Rootkit.BNQN, to name a few—but whatever your security software calls it, it’s one of the worst botnet viruses on the web today, rivaling pests like Alureon.H and the Rimecud virus with its incredible ability to spread from computer to computer.

The Bubnix virus is basically a driver that hides its presence on your computer by preventing you from accessing its files or registry values. Once it installs itself, it’s capable of downloading additional viruses onto your hard drive, and it can even take over your email and send spam to people on your contact list, which won’t earn you any friends

Bubnix Virus May Be Rogue Anti-Spyware
Rogue anti-spyware refers to anti-spyware/antivirus software of questionable value. Rogue anti-spyware may not be proven to protect your computer from spyware, may popup fake alerts or create many false positives about your PC being infected, or may use scare tactics to try to get you to purchase the application. Rogue anti-spyware software may be installed by a Trojan, come bundled with other software, or install itself through web browser security holes. While it is fairly rare, some rogue anti-spyware is created and distributed by known spyware or adware companies, and the rogue anti-spyware may install spyware or adware itself [Read more...]

Filed Under: 3: Viruses & Worms Tagged With: , ,

Trojan win32 TDSS or Tidserv rootkit

November 10, 2010 By


Trojan TDSS Rootkit

It also known as Trojan Backdoor.Tidserv is a trojan horse that may represent security risk for the infected computer. The trojan uses rootkit-specific techniques designed to hide the software presence in the system and also blocks user access to security websites. Once running, this trojan will display a fake security alerts that tells you to install a rogue antispyware application to delete the infection. These alerts are a fake and should be ignored!
Use the following instructions to remove trojan TDSSserv (trojan Backdoor.Tidserv).

Step 1: Disable TDSSserv trojan driver.

Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
Click Properties.
Click Hardware Tab.
Click Device Manager.
In the top menu, click View and click Show Hidden Drivers.
Scroll down to non Plug and Play drivers.
Click + at left.
In the list of drivers right click TDSSserv.sys.
Click Disable.
Click YES for confirm.
Close all windows and reboot your computer.
Step 2: Delete TDSSserv trojan driver.

Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
TDSSserv.sys

Then click on ‘Execute’.

You will be asked Are you sure you want to execute the current script?. Click Yes.
You will now be asked First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
Your PC will now be rebooted.


Step 3: Remove TDSSserv trojan files and any associated malware. [Read more...]

Filed Under: 2: Trojan Removal Tagged With: , , , ,

Rootkit win32 TDSS Tidserv malware trojan

November 9, 2010 By

How to remove malware belonging to the family Rootkit.Win32.TDSS
A rootkit is a program or a suite of programs designed to obscure the fact that a system has been compromised.

For Windows operating systems, the term rootkit stands for a program that infiltrates the system and hooks system functions (Windows API). By hooking and modifying low-level API functions, such malware can effectively hide its presence in a system. Moreover, rootkits as a rule are able to conceal in the system any processes, folders and files on a disk as well as registry keys described in its configuration. Many rootkits install own drivers and services (hidden as well) into the system.

It is possible to disinfect a system infected with malware family Rootkit.Win32.TDSS using the utility TDSSKiller.exe.

Disinfection of an infected system

Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

When run without parameters, the utility will:

The registry is scanned for hidden services. The utility will remove the services identified as belonging to TDSS.
Otherwise, the user is prompted to eliminate the service.
The services are eliminated upon a reboot.

System drivers are scanned for infection. In case an infection has been detected, the utility will search for an available backup copy of an infected file.
If an available backup copy of an infected file has been detected, the utility will restore the file from it. Otherwise, the utility will attempt to disinfect the file.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).
The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

When its work is over, the utility prompts for a reboot to complete the disinfection.
The driver will execute all scheduled operations and kill itself upon the next system reboot.

Command line parameters to run the utility TDSSKiller.exe

-l – write log to a file.
-d – search for a specific malicious service name.

For example, if you want to scan the PC with a detailed log saved into the file report.txt (it will be created in the folder with TDSSKiller.exe), use the following command:

TDSSKiller.exe -l report.txt

Symptoms of an infection

Symptoms of infection with Rootkit.Win32.TDSS first and second generation (TDL1, TDL2)
Experienced users may try to monitor the following kernel function hooks:

IofCallDriver;
IofCompleteRequest;
NtFlushInstructionCache;
NtEnumerateKey;

NtSaveKey;
NtSaveKeyEx.

Using the utility Gmer.

http://www.gmer.net/

Symptoms of infection Rootkit.Win32.TDSS third generation (TDL3)

An infection can be detected with utility Gmer. It detects replacement of a “device” object of the system driver atapi.sys.

===End===

Filed Under: 2: Trojan Removal Tagged With: , , , , ,