Rovnix oubreak in Sweden!

Large viral outbreak of a new variant of rovnix.
‘Myndigheten för samhällsskydd och beredskap’ a Swedish institution advises to completely re-install because the infection is very, very hard to cleanse. Reinstall from a dvd, because also restore partitions may be infested.
Re: http://www.svt.se/nyheter/inrikes/tusentals-datorer-smittade-av-elak-trojan
Does Avast offers detection and protection against this?

polonus

New fake mail(s) , and according to the info there it seems to be same attached malware as this https://forum.avast.com/index.php?topic=171575.0

Also spreading in Britain and germany

@ polonus

Sleep… dream :slight_smile:

https://www.youtube.com/watch?v=06fCMfcMnqk

Macro-virus, the new trend, good to know we have detection since May 25th.

polonus

Wonder if I can get a copy and remove it… Anyone got a copy of the new Rovnix?

you find it on malwr MD5 ee8c9134226762f913d558250e008d8d

Here Avast has not flagged it yet: http://r.virscan.org/report/21415d1dca6660454ec626beb5f169de
Above is a non-reliable scan as reported to me.
Analysis: https://www.hybrid-analysis.com/sample/2a4f8edba7d045050cd208e0c7a12e346c4b71f8c917b7299d7388bb74b4a25b?environmentId=1

pol

Old malware.
30 may 2014
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Rovnix

Hmm, OK. Will get FRST running along with a few other tools. See what it takes to hammer this thing.

MBAM identifies the threat as Trojan.Agent.WNT

Log File:


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/28/2015
Scan Time: 11:45:22 AM
Logfile: 
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.05.29.05
Rootkit Database: v2015.05.24.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: John

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 322441
Time Elapsed: 3 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Trojan.Agent.WNT, C:\Users\John\Desktop\POS Rovnix.exe, 1980, Delete-on-Reboot, [7beec5d4b8d23ff7ff175f03b54da25e]

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 3
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),Replaced,[8ddc01980981af878544290041c5f30d]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),Replaced,[93d67227b4d6f34316b46ebbc640857b]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),Replaced,[1f4a4356aae01e186d5e0623679fe61a]

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Agent.WNT, C:\Users\John\Desktop\POS Rovnix.exe, Delete-on-Reboot, [7beec5d4b8d23ff7ff175f03b54da25e], 

Physical Sectors: 0
(No malicious items detected)


(end)

aswMBR:


aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-05-28 11:57:39
-----------------------------
11:57:39.464    OS Version: Windows x64 6.1.7601 Service Pack 1
11:57:39.464    Number of processors: 1 586 0x3A09
11:57:39.464    ComputerName: JOHN-PC  UserName: John
11:57:39.746    Initialize success
11:57:39.761    VM: initialized successfully
11:57:39.761    VM: Intel CPU virtualization not supported 
11:58:38.504    AVAST engine defs: 15052900
11:58:49.426    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
11:58:49.426    Disk 0 Vendor: VBOX_HARDDISK 1.0 Size: 65536MB BusType: 11
11:58:49.536    Disk 0 MBR read successfully
11:58:49.536    Disk 0 MBR scan
11:58:49.551    Disk 0 Windows 7 default MBR code
11:58:49.551    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS          100 MB offset 2048
11:58:49.551    Disk 0 default boot code
11:58:49.567    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS        65434 MB offset 206848
11:58:49.583    Disk 0 scanning C:\Windows\system32\drivers
11:58:53.489    Service scanning
11:59:03.567    Modules scanning
11:59:04.036    Disk 0 trace - called modules:
11:59:04.067    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys 
11:59:04.067    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004544060]
11:59:04.067    3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0xfffffa80040c9680]
11:59:04.301    AVAST engine scan C:\Windows
11:59:04.895    AVAST engine scan C:\Windows\system32
12:00:02.520    AVAST engine scan C:\Windows\system32\drivers
12:00:07.036    AVAST engine scan C:\Users\John
12:00:17.114    AVAST engine scan C:\ProgramData
12:00:19.145    Disk 0 statistics 2417357/0/0 @ 27.66 MB/s
12:00:19.145    Scan finished successfully
12:00:25.676    Disk 0 MBR has been saved successfully to "C:\Users\John\Desktop\MBR.dat"
12:00:25.676    The log file has been saved successfully to "C:\Users\John\Desktop\aswMBR.txt"