MRT detects Trojan:DOS/Sinowal.G; Avast doesn't

Hi,

The latest MRT that came in with Tuesday’s batch of Windows Updates detected and removed Trojan:DOS/Sinowal.G

Threat detected: Trojan:DOS/Sinowal.G
boot://\.\PHYSICALDRIVE1(MBR)
SigSeq: 0x00002144589ED514

Microsoft’s page for this is here:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3ADOS%2FSinowal.G#techdetails_link

What is Avast’s name for this Trojan?

And I’m wondering why Avast 5 didn’t detect the initial infection? Don’t know how long I’ve been running with this. Does Avast check MBR’s at startup?

Thanks

What is Avast's name for this Trojan?
Win32:MBRoot http://www.virustotal.com/file-scan/report.html?id=dd3a5303c31026a6da41b1800b5c73df21215fb50d0e081b0e724242ae306b81-1292596599
And I'm wondering why Avast 5 didn't detect the initial infection?
no security program have 100% detection.......maybe it is very new or MRT false positive ?

Avast does detect this - unless it is a new variant

Thank you for your replies.

Unfortunately, as this is a MBR virus, there is no file I can upload for evidence. A false positive is unlikely, as there shouldn’t be anything lurking in the MBR. So the mere presence of anything is suspect.

I did a complete scan with Avast, and was unable to find the file that caused the infection. Given how nasty Sinowal/MBRoot is, I hope you can catch it.

Meanwhile I manually downloaded MRT and I’m running a full scan (I think the scan during Windows Updates is a quick scan). Will report what it finds.

Let me know as I have some programmes that will clear this

OK, I booted into recovery console and did a FIXMBR on all my drives.

What’s frustrating is that even right after doing this, FIXMBR still says, “Caution This computer appears to have a non-standard or invalid master boot record”. What’s up with that??!?!

In any event… a full MRT scan comes up clean. So does an AVAST rootkits (full) scan.

Be that as it may, if you can recommend another rootkit scanner as a 3rd opinion, it would put my mind at ease.

Has Avast checked their signatures to see if what MRT initially reported … Trojan:DOS/Sinowal.G … is being caught by you guys now?

Thanks

Yep two porgrammes to double check - both are speedy ;D

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.jpg

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2.png

Click the “Fix” in case of infection

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR3.png

Save the aswMBR.log to the desktop

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR4.png

THEN

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Thanks for your reply.

I noticed that aswmbr reports that I have 2 disks, yet it scans the MBR only on disk 0.

MRT originally reported that it found the infected MBR on disk 1.

Question:

Is there a way to get aswmbr to scan the MBR on disk 1?

Is the code in the MBR on disks 1+ ever executed? Because one of the “features” of Sinowal/MBRoot is that it infects the first 16 disks connected to the system, including flash drives.

  • d.

There’s no need to download MRT a second time, After it’s been installed by Windows update, Just go to Start, run, type MRT, click OK, and you can run it anytime.

We could try mbrcheck to attempt to remove from the other drives. Did TDSSKiller or ASWMbr detect anything ?

Please download MBRCheck.exe to your desktop.

[]Be sure to disable your security programs
[
]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]A window similar to this should open on your desktop:

http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png

[*]If you are prompted with options, enter N at the prompt and press [i]Enter[/i]
[*]Press [i]Enter[/i] again
[*]A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Everything comes up clean now.

Thanks to all.