|
Posted by Kerry Brown on January 25, 2008, 6:57 pm
Please log in for more thread options
>
>
>> I recently saw the first system in several years where I couldn't
>> identify the malware that was installed and remove it. It was playing
>> tricks with the mbr among other things. It did initially look like a
>> vundo variant. It was not mebroot or if it was it has changed
>> considerably. Even overwriting the mbr then booting from a Linux CD to
>> inspect suspicious files I couldn't get rid of it. It would come back as
>> soon as explorer loaded in safe or normal mode. I'm guessing it infects
>> some system files as well as the mbr and the scanners I was using didn't
>> identify it yet. It is getting very nasty. I think that more and more the
>> solution will be backup the data then flatten the system. If the malware
>> starts attacking the factory restore partition then even that method of
>> cleaning a system will be beyond most people's abilities :-(
>>
>> --
>> Kerry Brown
>> Microsoft MVP - Shell/User
>> http://www.vistahelp.ca/phpBB2/
>>
>>
> Kerry
> Your reference to Mebroot rang a bell -
> This link to an article in a UK Comp Magazine may be of interest - unless
> of course you are already aware.
I haven't actually seen mebroot but I've read quite a bit about it. This was
a three pronged infection that appeared to use the same method as mebroot
(altering the mbr) as one of it's infections. From what I have read about
mebroot it was not mebroot but some other malware that used a similar method
to hide. This was actually a very common method for viruses to spread back
when floppy disks were used more.
--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca/phpBB2/
| 
XML Sitemap