Raising the Bar: Rustock.A and Advances in Rootkits

The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]

http://www.symantec.com/enterprise/security_response/weblog/2006/06/raising_the_bar_rustocka_advan.html

Via:

http://sunbeltblog.blogspot.com/2006/12/gromozon-has-evolved.html

Hi FwF,

Removal info here:
http://www.2-spyware.com/remove-rustock.html

polonus

Good evening, sorry, I’m French and I try to explain in the best English I have.
trojan-backdoor-rustock is on my computer since this week end (29 of december). Spy sweeper finds it, says it delates it but it comes back, I’ve juste finished a very long analysis with avast (in safemode) (up to date), avats found it, says it has delated it. I’ve made an analysis with spysweeper and this trojan is stil on the computer. What can I do ? I use avast sinc one year without any problem but at today, I’ve difficulties. Iwould like not to be obliged to reformat my hard drive. Thanks by advance for all helps.
PS : I’m a good computer user, if i have to make modification in regedit or other, I think I’m able if you explain me well

Hi and welcome

Have you tried the procedure outlined in the previous post by Polonus?

the software method, yes, it’s by spysweeper and it comes back. The manual, not yet, do I need to do it in safe mode ?

Soory, i didn’t see that spy doctor was other than spysweeper because of publicity for spysweeper just after. I try and say if it goes
Thanks

there is an automatic removal tool at the link on previous post (this one http://www.2-spyware.com/sd2-Spyware-4.0.0.2602.exe )

Have you downloaded it and tried it??

If you have and still have the problem i suggest a HJT scan and post the log it generates so we can look it over
http://www.majorgeeks.com/download3155.html

good luck

I’ve downloaded it, it says i’m infected but van’t destroy it with the free software. I’m sorry, I did’nt understood what you mean with "a HJT scan and post the log it generates so we can look it " what is it ?

its a small tool that copies all your sytem files to a log and allows others to see what problems you have .
this is the best way forward now :wink:

Here is a tutorial if you need more info
http://forums.majorgeeks.com/showthread.php?t=38752

and i let it here in copy/paste ? Sorry, it seems to me very long…

if it wont paste into post then copy into notepad then attach to post

Logfile of HijackThis v1.99.1
Scan saved at 23:49:17, on 05/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9IE.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Nath\LOCALS~1\Temp\Rar$EX01.422\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 205.238.40.1 winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport

2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Smapp] “C:\Program Files\Analog Devices\SoundMAX\SMTray.exe”
O4 - HKLM..\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe” /startintray
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [EPSON Stylus Photo RX700 Series] “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9IE.EXE” /P31

“EPSON Stylus Photo RX700 Series” /O6 “USB001” /M “Stylus Photo RX700”
O4 - HKLM..\Run: [EEventManager] “C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe”
O4 - HKLM..\Run: [RaidTool] “C:\Program Files\VIA\RAID\raid_tool.exe”
O4 - HKLM..\Run: [SPAMfighter Agent] “C:\Program Files\SPAMfighter\SFAgent.exe” update delay 60
O4 - HKLM..\Run: [CloneCDTray] “C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s
O4 - HKLM..\Run: [Digital Video Duplicator OLR] “C:\PROGRA~1\DIGITA~1\BVRPOlr.exe” /Digital Video Duplicator
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [FreeRAM XP] “C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe” -win
O4 - HKCU..\Run: [SuperCopier2.exe] “C:\Program Files\SuperCopier2\SuperCopier2.exe”
O4 - HKCU..\Run: [Spyware Doctor] “C:\Program Files\Spyware Doctor\swdoctor.exe” /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: compta - {365B8213-2402-48CF-9907-A4E4A757DE38} - C:\Isa\isacowp\coNetIE.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft

Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} -

C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service

(file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service

(file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware

Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program

Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe

Sorry, i don’t know how to attach a file to a post :frowning:
These last days, i installed demo version of bitdefender and i desinstall it (didn’t find the trojan), i feel that some entries in system missing are from this installation. I let you see, i don’t see anything strange in these informations, but I’m not pro with this (i use code stuff starter pro to verify regularly the process runing, i didn’t see any strange these last days but i think i’ve clicked on a file it musn’t, and since, the trojan is in). I’m in France, it’s more than midnight, spent already a lot or hours tonight to try again to understand where the trojan was still, I won’t be able to well understand your informations, it’s too late for my little brain. i’ll see tomorrow if you have an idea. Even if not, thanks a lot to have spent so much time to help me.

I suggest you read the tutorial and familiarise yourself with the functions it can do .

its best if the HJT program sits in a folder on C drive as it saves copies of scans in case you need to backtrack

im not an expert with reading these scans so if you have time you might prefer to wait for others to comment .

An online scan shows that the following lines can be FIXED

O1 - Hosts: 205.238.40.1 winmx.com

O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)

and unless you are familiar with this program and can verify it ,it may be bad as well

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Important that you check back as others might have opinions contrary to mine .

I’m not sure if you’re infected or not…
To be sure, you could try on-line scanning and report what you get.

http://www.virustotal.com/flash/index_en.html
http://www.kaspersky.com/virusscanner
http://www.mwti.net/antivirus/mwav.asp
http://www.security-ops.tk
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/index.html
http://support.f-secure.com/enu/home/ols.shtml

Good afternoon.
For Take : Taking informations on the sites and so on, I’m surprised too, no folder, no register entry, but avast and spyseeper still find informations form the trojan. But, since the hard work made by avast between sunday and yesterday, the PC seems to be in best health, less harddrive access, internet connection seems more efficent. I’ll go in the afternoon on all the sites you gave me. Bitdefender, in line as on the hardrive, don’t find any problem.
For Closseau : with spysweepper, I put off the information for winmix, normally, it muste have been deleted since months, when i stopped to speak on their chat room, don’t undersatnd why it was still there, but was there before the problems began. For the other reference, i’ve to understand how HJK works, not to do mistakes.
Many thanks, I continue trying, and I let you the informations i find with the scans.

Good evening, sorry for the delay, got some hardware problems with the computer yesterday. I’ve done as much scans that I could, i’ve joined 2 of the reports, one will be in an other post. Not made the scans with the turkich site, not found where to click. Trendmicro was impossible : wanted to desinstall avast AND Spysweeper, spysweeper being the software finind the trojan, i didn’t want to desinstall and so it stoped installation. No virus found by bitdefener, none at reinstall of Avast, spysweeper finds every night “traces” of the troyan :-(.
I’ve used computer on saturday, tried t make it work hard, no real problem as there were before (slow, no stable). Do you think the trojan has been killed ? Thanks so much for answers made and to make.

and the last one, kapersky. When installing, escan told me some files was not good, but i hadn’t any report of that (entreies in register no more valid…), i choose to delete all was proposed to delaete at this time. Have a good evening if you are on Paris Meridien, thanks for all this helps, hoping you’ll write to me that the problem is not in my computer anymore.

System restore has a bad file (indicated on KAV scan) which can be removed by turning off system restore ,rebooting and then turning it back on . This will clear any old files from there.

If you go back to the removal instructions on Polonus`s post you will see reference to some files in system 32 folder that need to be removed.
Im guessing that the one that shows in F Secure scan (c:\WINDOWS\system32:lzx32.sys ) is one of those.

Can you check your folder options to ensure you have them set to see all hidden files and folders then explore for that file and try to kill it, maybe in safe mode.
If it wont budge try Killbox http://www.softpedia.com/get/Security/Secure-cleaning/Pocket-Killbox.shtml

good luck

I believe c:\WINDOWS\system32:lzx32.sys indicates rustock.B rather than rustock.A

Maybe this removal tool would be better (scroll about half way down the page)

http://www.geekstogo.com/forum/How_to_Remove_Rustock_b_pe386_lzx32_msguard_infections-t140682.html