Unknown MBR code

aswMBR shows an unknown MBR code. The machine is NOT a Dell or HP (or any other system with a recovery partition). I am not running any boot managers or any other utility that should change the MBR. I installed the drives and have imaged/restored them with ghost many times. I’m running Windows XP. No hidden partitions that I can find.

Neither aswMBR or TDSSKiller show active infections although TDSSKiller does locate \Device\Harddisk0\DR0 ( TDSS File System ), assuming from a past infection although I don’t know when or what software removed the infection.

Is the “unknown MBR code” anything to worry about?

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-26 10:32:36

10:32:36.125 OS Version: Windows 5.1.2600 Service Pack 3
10:32:36.125 Number of processors: 2 586 0x209
10:32:36.125 ComputerName: SAM UserName: gandolph
10:32:36.437 Initialize success
10:51:36.781 AVAST engine defs: 12032601
11:13:28.781 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-e
11:13:28.781 Disk 0 Vendor: WDC_WD20EADS-00S2B0 01.00A01 Size: 1907729MB BusType: 3
11:13:28.781 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP3T0L0-19
11:13:28.781 Disk 1 Vendor: ST3160023AS 3.05 Size: 152627MB BusType: 3
11:13:28.796 Disk 0 MBR read successfully
11:13:28.796 Disk 0 MBR scan
11:13:28.843 Disk 0 unknown MBR code
11:13:28.843 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 29996 MB offset 63
11:13:28.843 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 122628 MB offset 61432560
11:13:28.875 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 99998 MB offset 312576705
11:13:28.875 Disk 0 Partition - 00 0F Extended LBA 1655102 MB offset 517373325
11:13:28.875 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 255102 MB offset 517373388
11:13:28.890 Disk 0 Partition - 00 05 Extended 499999 MB offset 1039823190
11:13:28.890 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 499999 MB offset 1039823253
11:13:28.906 Disk 0 scanning sectors +3907024065
11:13:28.968 Disk 0 scanning C:\WINDOWS\system32\drivers
11:13:38.296 Service scanning
11:13:49.203 Modules scanning
11:13:52.265 Disk 0 trace - called modules:
11:13:52.281 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:13:52.281 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a67dab8]
11:13:52.281 3 CLASSPNP.SYS[f7657fd7] → nt!IofCallDriver → \Device\0000006f[0x8a67e9e8]
11:13:52.281 5 ACPI.sys[f75ae620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-e[0x8a667d98]
11:13:52.625 AVAST engine scan C:\WINDOWS
11:13:59.218 AVAST engine scan C:\WINDOWS\system32
11:16:48.375 AVAST engine scan C:\WINDOWS\system32\drivers
11:17:01.750 AVAST engine scan C:\Documents and Settings\gandolph
11:17:17.500 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\gandolph\Desktop\MBR.dat”
11:17:17.515 The log file has been saved successfully to “C:\Documents and Settings\gandolph\Desktop\aswMBR.txt”

12:13:30.0531 3824 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
12:13:31.0062 3824 ============================================================
12:13:31.0062 3824 Current date / time: 2012/03/27 12:13:31.0062
12:13:31.0062 3824 SystemInfo:
12:13:31.0062 3824
12:13:31.0062 3824 OS Version: 5.1.2600 ServicePack: 3.0
12:13:31.0062 3824 Product type: Workstation
12:13:31.0062 3824 ComputerName: SAM
12:13:31.0062 3824 UserName: gandolph
12:13:31.0062 3824 Windows directory: C:\WINDOWS
12:13:31.0062 3824 System windows directory: C:\WINDOWS
12:13:31.0062 3824 Processor architecture: Intel x86
12:13:31.0062 3824 Number of processors: 2
12:13:31.0062 3824 Page size: 0x1000
12:13:31.0062 3824 Boot type: Normal boot
12:13:31.0062 3824 ============================================================
12:13:33.0171 3824 Drive \Device\Harddisk0\DR0 - Size: 0x1D1C1116000 (1863.02 Gb), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000054
12:13:33.0187 3824 Drive \Device\Harddisk1\DR1 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000054
12:13:33.0203 3824 \Device\Harddisk0\DR0:
12:13:33.0203 3824 MBR used
12:13:33.0203 3824 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A962B1
12:13:33.0203 3824 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3A962F0, BlocksNum 0xEF827D1
12:13:33.0203 3824 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x12A18AC1, BlocksNum 0xC34F2CC
12:13:33.0218 3824 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1ED67DCC, BlocksNum 0x1F23F38A
12:13:33.0234 3824 \Device\Harddisk0\DR0\Partition4: MBR, Type 0x7, StartLBA 0x3DFA7195, BlocksNum 0x3D08FC7E
12:13:33.0234 3824 \Device\Harddisk1\DR1:
12:13:33.0234 3824 MBR used
12:13:33.0234 3824 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A18A82
12:13:33.0531 3824 Initialize success
scan a bunch of files - everthing is OK
12:13:48.0515 3888 ============================================================
12:13:48.0515 3888 Scan finished
12:13:48.0515 3888 ============================================================
12:13:48.0531 3880 Detected object count: 0
12:13:48.0531 3880 Actual detected object count: 0
12:13:59.0296 3928 ============================================================
12:13:33.0531 3824 ============================================================
12:13:59.0296 3928 Scan started
12:13:59.0296 3928 Mode: Manual; TDLFS;
12:13:59.0296 3928 ============================================================
12:14:07.0875 3928 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk0\DR0
12:14:08.0062 3928 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
12:14:08.0062 3928 \Device\Harddisk0\DR0 - detected TDSS File System (1)
12:14:08.0078 3928 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR1
12:14:08.0140 3928 \Device\Harddisk1\DR1 - ok
12:14:08.0140 3928 Boot (0x1200) (a45abe50bcd6cd7377d0eff06ce75429) \Device\Harddisk0\DR0\Partition0
12:14:08.0140 3928 \Device\Harddisk0\DR0\Partition0 - ok
12:14:08.0187 3928 Boot (0x1200) (4ee9c2d7df7c34039c36db13a414bd1d) \Device\Harddisk0\DR0\Partition1
12:14:08.0187 3928 \Device\Harddisk0\DR0\Partition1 - ok
12:14:08.0203 3928 Boot (0x1200) (938e0e53cae7382e02cd96e10c5dd0dc) \Device\Harddisk0\DR0\Partition2
12:14:08.0203 3928 \Device\Harddisk0\DR0\Partition2 - ok
12:14:08.0218 3928 Boot (0x1200) (7e4e853ca9726e35959723a10e561236) \Device\Harddisk0\DR0\Partition3
12:14:08.0218 3928 \Device\Harddisk0\DR0\Partition3 - ok
12:14:08.0234 3928 Boot (0x1200) (deda2e871b32dbdfc831e497686119a6) \Device\Harddisk0\DR0\Partition4
12:14:08.0234 3928 \Device\Harddisk0\DR0\Partition4 - ok
12:14:08.0234 3928 Boot (0x1200) (29ef3976cd62e3e90a2ab2e5f1bf33ca) \Device\Harddisk1\DR1\Partition0
12:14:08.0234 3928 \Device\Harddisk1\DR1\Partition0 - ok
scan a bunch of files everything is OK
12:14:08.0234 3928 ============================================================
12:14:08.0234 3928 Scan finished
12:14:08.0234 3928 ============================================================
12:14:08.0250 3920 Detected object count: 1
12:14:08.0250 3920 Actual detected object count: 1
12:14:37.0718 3920 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
12:14:37.0718 3920 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
12:14:39.0687 3816 Deinitialize success

Re-run TDSSKiller and select delete for this line

\Device\Harddisk0\DR0 ( TDSS File System )

If you have a standard system then you can fixmbr from the recovery console or ask aswMBR to do it for you

Is there any reason to fix the MBR if everything is working fine?

Could the unknown MBR code be a new unidentified rootkit?

Upload the MBR.dat [a copy of your MBR code] here:
www.virustotal.com

it is located here:
C:\Documents and Settings\gandolph\Desktop\MBR.dat

Nothing found, but if it was a new threat they wouldn’t detect it, right?

Forget true indian and wait for essexboy…!!!

Could you upload the mbr.dat to Mediafire and post the sharing link, I will then have a look at it

Copy of MBR is located here:

http://www.mediafire.com/?y7p0349z4oyiihc

I can see nothing untoward in the code - Analysis below

MBR Analyzer v1.1.1

File : C:\Users\Martin\Desktop\MBR.dat

--------------------------------------------------------------

--OFFSET--  0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-  0123456789ABCDEF

0x00000000  33C08ED0BC007CFB5007501FFCBE1B7C  3À.м.|ûP.P.ü¾.|
0x00000010  BF1B065057B9E501F3A4CBBEBE07B104  ¿..PW¹å.ó¤Ë¾¾.±.
0x00000020  382C7C09751583C610E2F5CD188B148B  8,|.u..Æ.âõÍ....
0x00000030  EE83C610497416382C74F6BE10074EAC  î.Æ.It.8,tö¾..N¬
0x00000040  3C0074FABB0700B40ECD10EBF2894625  <.tú»..´.Í.ëò.F%
0x00000050  968A4604B4063C0E7411B40B3C0C7405  ..F.´.<.t.´.<.t.
0x00000060  3AC4752B40C64625067524BBAA5550B4  :Äu+@ÆF%.u$»ªUP´
0x00000070  41CD1358721681FB55AA7510F6C10174  AÍ.Xr..ûUªu.öÁ.t
0x00000080  0B8AE0885624C706A106EB1E886604BF  ..à.V$Ç.¡.ë..f.¿
0x00000090  0A00B801028BDC33C983FF057F038B4E  ..¸...Ü3É......N
0x000000A0  25034E02CD137229BE4607813EFE7D55  %.N.Í.r)¾F..>þ}U
0x000000B0  AA745A83EF057FDA85F67583BE2707EB  ªtZ.ï..Ú.öu.¾'.ë
0x000000C0  8A9891529903460813560AE812005AEB  ...R..F..V.è..Zë
0x000000D0  D54F74E433C0CD13EBB8000000000000  ÕOtä3ÀÍ.ë¸......
0x000000E0  5633F656565250065351BE1000568BF4  V3öVVRP.SQ¾..V.ô
0x000000F0  5052B800428A5624CD135A588D641072  PR¸.B.V$Í.ZX.d.r
0x00000100  0A4075014280C702E2F7F85EC3EB7449  .@u.B.Ç.â÷ø^ÃëtI
0x00000110  6E76616C696420706172746974696F6E  nvalid partition
0x00000120  207461626C65004572726F72206C6F61   table.Error loa
0x00000130  64696E67206F7065726174696E672073  ding operating s
0x00000140  797374656D004D697373696E67206F70  ystem.Missing op
0x00000150  65726174696E672073797374656D0000  erating system..
0x00000160  00000000000000000000000000000000  ................
0x00000170  00000000000000000000000000000000  ................
0x00000180  0000008BFC1E578BF5CB000000000000  ....ü.W.õË......
0x00000190  00000000000000000000000000000000  ................
0x000001A0  00000000000000000000000000000000  ................
0x000001B0  0000000000000000B78DB78D00008001  ........·.·.....
0x000001C0  010007FEFFFF3F000000B162A9030000  ...þ..?...±b©...
0x000001D0  C1FF07FEFFFFF062A903D127F80E00FE  Á..þ..ðb©.Ñ'ø..þ
0x000001E0  FFFF07FEFFFFC18AA112CCF2340C00FE  ...þ..Á.¡.Ìò4..þ
0x000001F0  FFFF0FFEFFFF8D7DD61E34F709CA55AA  ...þ...}Ö.4÷.ÊUª

---------------------------[ MBR ]----------------------------

MBR_CODE        : Unknown MBR Code
MD5             : FDA6AF8E884C552F21FCF497D9F7F706
SHA1            : CD49696A29D7B212EEC5FFFECDC3E37893586D2C
PARTITIONS      : 4
DISK_SIGNATURE  : B78DB78D
SIGNATURE_ID    : AA55h

-----------------------[ PARTITION 1 ]------------------------

BOOTABLE        : YES
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 29.29 Go
STARTING_SECTOR : 63
ENDING_SECTOR   : 61432560
TOTAL_SECTORS   : 61432497

-----------------------[ PARTITION 2 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 119 Go
STARTING_SECTOR : 61432560
ENDING_SECTOR   : 312576705
TOTAL_SECTORS   : 251144145

-----------------------[ PARTITION 3 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 97.65 Go
STARTING_SECTOR : 312576705
ENDING_SECTOR   : 517373325
TOTAL_SECTORS   : 204796620

-----------------------[ PARTITION 4 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x0F ( Extended [LBA] )
PARTITION_SIZE  : 1.58 To
STARTING_SECTOR : 517373325
ENDING_SECTOR   : 3907024065
TOTAL_SECTORS   : 3389650740

Thanks! That is a relief.

What causes a problem like aswMBR to report unknown MBR code? Just a flipped bit?

It looks like an extra character at the end that is causing this

I’ve fixed the MBR and deleted the TDSS filesystem.

This is the config file from the TDSS filesystem that was moved to quarantine. Is there anything there hints as to which rootkit was installed?

[main]
version=0.03
aid=30002
sid=0
rnd=1078145449
knt=1291913751
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://86b6b96b.com/;https://lkaturl11.com/;https://kangojjm1.com/;https://lkaturl71.com/;https://9669b6b96b.com/
wsrv=http://sk0lewcho.com/;http://jikdoout0.com/;http://swltch0o.com/;http://switch18.com/;http://rammjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.15
bsh=aa4c66d70ed847a791cc5a3cacb7cccb6d5acd55
delay=7200
csrv=http://lkckclckli1i.com/

Not as to the variant - but it does show the websites that it was to redirect you to

Could those be domains that the rootkit was transmitting private data to or are they just used for browser redirection?

Pretty clever code which ever it was.

90% of the time it is for redirection - very lucrative at a penny for 10 clicks (or whatever the going rate is )

I believe the https are for programme updates because you cannot have an old version ;D

version=0.15

Thinking back on it I do recall getting one of those fake virus scanner infections. It was a hassle to get rid of. I didn’t realize they created a the TDSS filesystem. Amazing stuff.

Is the alureon-k infection often mentioned on these forums one of these redirect malware infections?

There are becoming more prelavent and more difficult to remove and detect the droppers

Are alureon-k and the others that create these rootkit TDSS hidden systems installed mainly via websites and emails with a nasty payload attached?