Avast doesn't detect win32/mebroot.h trojan

Hi all,
i used my pendrive in a pc with other antivirus and this detected win32/mebroot.h trojan. Is a MBR trojan (?). Why did not avast detect it?

Thanks \o

Difficult to say… but is it detected within a file or just the MBR?
Maybe you haven’t a file to send to avast for analysis…

Hi Tech,

Just MBR.

Reading others forums i saw a possible solution using mbr.exe from http://www.gmer.net. But in my computer doesn’t work. Could i send a file using mbr.exe?

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x12a14c00 size 0x194 !

Thanks \o

Hi, i am going to reinstall windows.

Thanks \o

GMER now belongs to Alwil as the same as avast.
I don’t think mbr.exe will send/collect any information.

There are some ways to fix mbr before reinstalling Windows… ::slight_smile:

:slight_smile:

Well how can i do that?, I have used fixmbr from “recuperation console” Recovery Console, but mbr.exe shows the same message:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x12a14c00 size 0x194 !

One way to do so. Even following this way can’t you boot?
Why do you think that now your MBR is corrupt?

Because mbr.exe is showing the message: malicious code @ sector 0x12a14c00 size 0x194 !

\o

google gives some interesting threads on your hits

http://www.wilderssecurity.com/archive/index.php/t-211133.html

Using gmer.exe (mbr.exe) version 1.0 copied these sector to a file and when was writing it, Avast antivirus detected it like Win32:MBRoot-B [Rtk] !! :slight_smile:

Thanks wyrmrider \o

I am going to use fixboot like say at http://www.wilderssecurity.com/archive/index.php/t-211133.html

Not works!, The bad bug doesn’t want to go… :frowning:

there is a boot fix on the ANTIVIR website under “programs”
no idea if it is any different
did you try a “scan on boot” option with Avast?
perhaps someone with experience with this baddie will show up Monday
did you get the file copied?
if so submit to “Virus Total” and to Avast

Here scanning with VirusTotal.

http://www.virustotal.com/en/analisis/223a5f1a6ff39449f1095aebb695c0b7

someone much older and wiser than I may have an answer coming
but the next thing I would do would be to post in the Virus and Worms Forum- scroll down
give a link to this thread
you might ask that since this is a trojan if you should be in a antimalware forum

Sunbelt found it
so a download and scan with Counterspy free try and a post in the sunbelt forum might work if nothing else pops up here
also Trojan Hunter is worth a shot
A-squared but watch for FP’s on ALL of these

A lot of scanners like DrWeb and Kaspersky which is usually good with trojans did not give hits
IS there still a DOS boot scanner around
AVG used to have one
puts thinking cap on

I am concerned about the .gen which usually means a heuristic hit and not a proven positive
wadda you think?

Ooops, sorry :confused:

meck: what is your Avast version number?

Maxx_original: 4.8.1201

avast is not using heuristic analysis. it uses it definition database for both on demand scanner and resident scanner. so the file detected is same match in their definition.

meck: the MBR itself seems to be clean (at least according to the mbr.exe output you posted).
Sector 0x12a14c00 may contain some shyte but it shouldn’t get activated.

Seems like somebody already tried to disinfect the MBR rootkit, and wasn’t quite thorough…

Anyway, are you saying the system doesn’t boot?
Also, what does this have to do with a pen drive? ???

Cheers
Vlk

The system boots. :slight_smile:

Also, what does this have to do with a pen drive? ???

Cheers
Vlk

Because I used the pendrive in a other PC with different Antivirus (nod 32), when i plugged in pc it appeared the warning message:


11/07/2008 10:15:30	Startup scanner	boot sector	MBR sector of the 1. physical disk	Win32/Mebroot.H trojan	error while cleaning - operation unavailable for this object type		

Where 1. physical disk was my pendrive. :confused:

Thanks \o