MBR malware on the return

[YeOldeStonecat]

Been reading that rootkits and other malware are returning to approaches common back in the DOS and Win9X days...infecting the MBR. Got a rig in yesterday that Eset keeps flagging with the "Jumper.B MBR" virus.

Oh such joy to see these return.

 

[joblo37pam]

I had a few of these a couple weeks ago. Like 3 of them in 2 days. It was really a PITA until I realized what was going on. I hadn't seen an MBR virus since floppies were commonplace.

 

[YeOldeStonecat]

I had a few of these a couple weeks ago. Like 3 of them in 2 days. It was really a PITA until I realized what was going on. I hadn't seen an MBR virus since floppies were commonplace.

Yeah..exactly...such a blast from the past! The old "fdisk /mbr" was used all the time back then. Luckily the more contemporary counterpart took this one out, fixmbr.

 

[joblo37pam]

Yeah..exactly...such a blast from the past! The old "fdisk /mbr" was used all the time back then. Luckily the more contemporary counterpart took this one out, fixmbr.

Yeah fixmbr took all of them out without a problem, once I finally consented to the fact that I really wasn't crazy and it really was an mbr virus

 

[Nocturnal]

Yup, TDSSKILL from Kaspersky has been helpful and ComboFix at removing the infection. And fixmbr too.

 

[dashpuppy]

viruses keep us all employed! Wonder if these Untangle / Astaro units are stopping these viruses / root kits.

 

[YeOldeStonecat]

viruses keep us all employed! Wonder if these Untangle / Astaro units are stopping these viruses / root kits.

I do have far less malware issues at clients that I have behind Untangle, compared to those behind regular NAT firewalls. All other things are fairly equal too, they all run Eset, I keep Windows updates 'n java 'n flash etc updated, my usual setup. So it's a fairly good example of UTMs being effective. And in many of the cases where someone that is behind Untangle does get bit by malware, it seems to not get as effective of a hold on their system, thus easier to clean. Probably because, even though the initial payload slipped through Untangle, when the thumb install for the malware turns around to download the "rest of the payload"...Untangle probably kicks in and blocks much of that.

 

[CiscoInside]

Yea, I believe we are seeing this coming in now. We have a few machines that are exhibiting the same symptoms. Guess hackers are getting bored these days.

 

[Pogo]

leave it to the french...

 

[CiscoInside]

Do we have any names for these yet? We want to try and find the virus before wiping so we can put a name on it and find how it is spreading.

 

[YeOldeStonecat]

Do we have any names for these yet? We want to try and find the virus before wiping so we can put a name on it and find how it is spreading.

The one I had when I made this post was Jumper.B...ID'd by Eset as mentioned initially.
Today my colleague ran into a rogue variant called "Security Essentials 11"...sorta named after MSE. The usual gold/blue shield in the quick launch bar like many rogue variants of a certain family are, but it was MBR'd, and the old fixmbr did it.

 

[CableDude]

Thanks for the heads up.

 

[YeOldeStonecat]

Here's another fun bit of damage...took me a long time to find out the fix. You can't connect to the internet, network connection looks solid, but you go to look at the details of your connection (like an IPCONFIG)...nothing at all, nada, not even 0.0.0.0..the OS cannot query TCP/IP. WinXP. So I run winsock repair tool..no luck. I uninstall the NIC, reinstall...no luck. I manually run a tcp/winsock repair with netsh commands..and even remove the winsock entries from the registry...no luck. I even edit the nettcpip.inf file so I can uninstall TCP/IP protocol, reboot, reinstall the protocol...no luck.

I do a scan for tcpip.sys file....nothing but the backup files 'n dllcache..nothing in windows\system32\drivers like it should have been. ARGGG! Copy it back from one of the latest SP3 update backup directories...all set!

 

[CiscoInside]

We are noticing with a few machines we are getting in, that TCP is taking a dump as well. I am waiting for a machine coming in that sounds exactly like the network problem you are having, thanks for the heads up!

 

[Shadowssong]

Thanks for the heads up, luckily most of the infections we get at my department are just fake AV, lol.

 

[CiscoInside]

I have been reading up that the fake AV can lead to the MBR. We have been trying tirelessly to detect the MBR virus, but most of the tools we have need to be loaded on the OS, and this bugger will not allow us to log in. We tried a repair today, was able to get in the OS on first boot, restarted and it reinfected the kernel so we could not get in again. We don't want to wipe the virus out yet, we want to find what it is first, how is spreads, etc. before wiping it.

 

[Mister Natural]

Over 15 years ago when I was at tech college learning networking we had a lab installing dos on a pc among other things. Damn pc kept acting up after DOS was loaded. Turned out the disks had Monkey B boot sector virus on the disks. D'OH!

A few years later at work I was going through some old floppy disks which were used for installing NOS on pc's before I came to work there. They weren't used anymore, but when I put one in a pc the Michelangelo virus was detected on the disk. I thought that was kind of cool in a way because while it wasn't the first virus it was the one that really made the world aware of viruses.