Large viral outbreak of a new variant of rovnix.
‘Myndigheten för samhällsskydd och beredskap’ a Swedish institution advises to completely re-install because the infection is very, very hard to cleanse. Reinstall from a dvd, because also restore partitions may be infested.
Re: http://www.svt.se/nyheter/inrikes/tusentals-datorer-smittade-av-elak-trojan
Does Avast offers detection and protection against this?
polonus
Pondus
May 28, 2015, 10:09pm
2
New fake mail(s) , and according to the info there it seems to be same attached malware as this https://forum.avast.com/index.php?topic=171575.0
Also spreading in Britain and germany
Macro-virus, the new trend, good to know we have detection since May 25th.
polonus
Large viral outbreak of a new variant of rovnix.
‘Myndigheten för samhällsskydd och beredskap’ a Swedish institution advises to completely re-install because the infection is very, very hard to cleanse. Reinstall from a dvd, because also restore partitions may be infested.
Re: http://www.svt.se/nyheter/inrikes/tusentals-datorer-smittade-av-elak-trojan
Does Avast offers detection and protection against this?
polonus
Wonder if I can get a copy and remove it… Anyone got a copy of the new Rovnix?
you find it on malwr MD5 ee8c9134226762f913d558250e008d8d
Eddy
May 29, 2015, 4:55pm
8
Hmm, OK. Will get FRST running along with a few other tools. See what it takes to hammer this thing.
MBAM identifies the threat as Trojan.Agent.WNT
Log File:
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 5/28/2015
Scan Time: 11:45:22 AM
Logfile:
Administrator: Yes
Version: 2.01.6.1022
Malware Database: v2015.05.29.05
Rootkit Database: v2015.05.24.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: John
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 322441
Time Elapsed: 3 min, 44 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 1
Trojan.Agent.WNT, C:\Users\John\Desktop\POS Rovnix.exe, 1980, Delete-on-Reboot, [7beec5d4b8d23ff7ff175f03b54da25e]
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 3
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[8ddc01980981af878544290041c5f30d]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[93d67227b4d6f34316b46ebbc640857b]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[1f4a4356aae01e186d5e0623679fe61a]
Folders: 0
(No malicious items detected)
Files: 1
Trojan.Agent.WNT, C:\Users\John\Desktop\POS Rovnix.exe, Delete-on-Reboot, [7beec5d4b8d23ff7ff175f03b54da25e],
Physical Sectors: 0
(No malicious items detected)
(end)
aswMBR:
aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-05-28 11:57:39
-----------------------------
11:57:39.464 OS Version: Windows x64 6.1.7601 Service Pack 1
11:57:39.464 Number of processors: 1 586 0x3A09
11:57:39.464 ComputerName: JOHN-PC UserName: John
11:57:39.746 Initialize success
11:57:39.761 VM: initialized successfully
11:57:39.761 VM: Intel CPU virtualization not supported
11:58:38.504 AVAST engine defs: 15052900
11:58:49.426 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
11:58:49.426 Disk 0 Vendor: VBOX_HARDDISK 1.0 Size: 65536MB BusType: 11
11:58:49.536 Disk 0 MBR read successfully
11:58:49.536 Disk 0 MBR scan
11:58:49.551 Disk 0 Windows 7 default MBR code
11:58:49.551 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
11:58:49.551 Disk 0 default boot code
11:58:49.567 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 65434 MB offset 206848
11:58:49.583 Disk 0 scanning C:\Windows\system32\drivers
11:58:53.489 Service scanning
11:59:03.567 Modules scanning
11:59:04.036 Disk 0 trace - called modules:
11:59:04.067 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
11:59:04.067 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004544060]
11:59:04.067 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa80040c9680]
11:59:04.301 AVAST engine scan C:\Windows
11:59:04.895 AVAST engine scan C:\Windows\system32
12:00:02.520 AVAST engine scan C:\Windows\system32\drivers
12:00:07.036 AVAST engine scan C:\Users\John
12:00:17.114 AVAST engine scan C:\ProgramData
12:00:19.145 Disk 0 statistics 2417357/0/0 @ 27.66 MB/s
12:00:19.145 Scan finished successfully
12:00:25.676 Disk 0 MBR has been saved successfully to "C:\Users\John\Desktop\MBR.dat"
12:00:25.676 The log file has been saved successfully to "C:\Users\John\Desktop\aswMBR.txt"