Skip navigation.
Home

Malware modifying NTFS permisions

| |

Hello All,
I have noticed a bunch of cases where malware modify NTFS file permissions to prevent deletion (by conventional methods.. I am not referring to booting from a BartPE CD or deleting files by adding the drive as a slave)..
A few names..
Win32/Kvol.H (CA)
Trojan:Win32/Boaxxe.B (MS OneCare),
Trojan-Downloader.Win32.Delf.dbo (Kaspersky)
Definitely look like rootkit type infections..
Has anyone come across samples.. Looks like the DLLs use random file names..like..
C:windows\system32\ati2edx.dll
C:\WINDOWS\system32\dx8v.dll
Any insights on this would be helpful..
Thanks
Prasad

Sentinel

These are trojan sentinel as i know them,they are guarded by a driver as seen in swi post here.
http://forums.spywareinfo.com/index.php?showtopic=107575

C:\WINDOWS\system32\ati2edx.dll
C:\WINDOWS\system32\drivers\fyvzqzyv.dat
C:\WINDOWS\system32\drivers\xdchxqio.dat

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_YIMEBAUZ
-------\yimebauz

Unloading the driver can be a bit tricky but once its removed,you can easily fix the bho file.

I have live samples of such on a live test machine and will attempt to retrieve them without damage.

EDIT:

Think I have retrieved everything you need,where shall I send it or should I just upload it here?

you can send it to

you can send it to prasad-dot-addepalli-at-gmail-dot-com
zip them up..

I have not recieved anything.. did you send it?

Rejected Email

Rejected Email,I had not checked in with this account for a week due to internet issues.

Ill have to resort the package if I can find it again. :)

I sent you the links to allow this infection to load at the other site you made your request,had i known you were after just the files,I would have pointed you to them at that time.

Allow me a little time to recollect the files since im sure there are a few updated version running around now.

Gmail just isnt going to do and I wouldnt know how to upload anything here so you could find it.

Here is the installer for the infection i described above.

scarddlg.com/bin/2051/installer.exe

The driver files seem to be

The driver files seem to be deleted after the infection is loaded..
Thanks for the source though.. lemme see if it holds on the site till I get my hands on it...

Sentinel

If you would, could you simply upload them here. I have had several clients been bit by this but they let their security apps dispose of most the samples.

Would be great to get the installer of this pestilence as it wreaks total havoc on NTFS file permissions and i like nothing better then to follow it's footprints thru it's dance.

Thanks