Worst infection to date: Beware

[pbolduc]

Hi,

I was fortunate enough to be one of the lucky people to encounter a new type of infection that makes every other infection look like childs play.

This new infection is called: Backdoor.Tdss.565
It infects random device drivers, installs as an MBR rootkit as well as the body of its contents are found in a hidden and encrypted partition at the end of the hard-drive. Once infected there have been attempts by antivirus and malware companies to remove this infection but I am here to tell you. ESET NOD32, Super Anti-spyware, Malware Bytes, ComboFix, Spybot, Ad-aware, Norton Antivirus, Kaspersky, Bit Defender, Unhackme, and Dr. WebCure it cannot remove this infection once it is active. However out of the above mentioned the only product that actually detects the presents of this infection are: CureIT and a special tool made by Kaspersky which was intended to remove this infection but it doesn't.

This infection is a backdoor program, it allows the use of someone else to have full control of the system while also filtering and blocking certain websites such as windowsupdate.microsoft.com.

I have attempted to use serveral Linux Antivirus Boot CD's to perform a scan while the hard-drive is not in use by the operating system and this infection stops those scans dead in its tracks.

Becareful of this infection I believe this stemmed from visiting a website in the third world country of Holland having to do with DHL shipping information. But the page came up saying this page cannot be displayed and by that time it was too late. By visiting the site containing the infection something exploited IE8 the infection sat dormant for 3 to 4 days before it was initiated on the workstation then it started downloading and installing massive amounts of malware and false security programs and pop ups. I got everything under the sun. Now the only infection that remains is Backdoor.Tdss.565 and i'm having a hell of a time removing it.

[Niclo Iste]

Have you tried the GMER tool? Also just out of curiosity have you tried a designated viral scanning machine with the drive slaved in, preferrably with a usb plug in adaptor for the drive.

[pbolduc]

I will see what I can do. I know how I got it. The unfortunate part was that I wasn't careful enough. I was tracing the spyware back to the source from a client who had a malicious e-mail about DHL. I tracked the ip down and out of curiousity i tried to open the tracked ip in my web browser. That was when the page came up saying: This Page Cannot Be Displayed. During that time a tmp file was saved in my IE Folder and sat there for serveral days dorment. The first signs of my system being infected was like a 7200 RPM hard-drive performing at about 5400RPM. Shortly after that I noticed that my SUN JAVA client was opening many times in the system tray. A bit nervous about the java activity I uninstalled Sun Java Client. Then I immediate recieved many pop ups and security warnings without iexplore.exe even running. It just all happened at once. withint a period of 2 minutes i was unable to open my task manager due to restrictive polices. Unable to open regedit without rebooting or logging off. I knew I was in trouble when I couldn't even reboot my computer using any method other than a hard shutdown. I used malware bytes / CureIT, Combofix, and Super Antispyware from safemode. That eliminated the 99.9 percent of the malware. I am now left with this single MBR/Rootkit called Backdoor.TDSS.565. It redirects the browser disables certain websites and it also attempts to hide in memory under tasks like SVCHost and mobysync.

I am currently running Dr.Web Live CD and trying an offline scan which appears to be still running but not finding anything.

I also have run GMER tool which it does indicate a part of the infection as being C:\windows\system32\drivers\TSK8.tmp.
In the registry under HKLM>System>CurrentControl Set>Services>Atapi>the Image path name has been altered to TSK8.tmp. Please note that every time I kill this tmp file and convert the registry back to atapi.sys and replace the atapi.sys file from the I386 folder on my XP CD followed by a cold boot to XP system recovery console followed by fixmbr followed by another cold boot. the TSK8.tmp gets incremented to TSK9.tmp. So needless to say there is another rogue association going on. I beleive this association is not visible using the rootkit method but I think it might have to do with an altercation to the Partition table. It is very stubborn. I have also tried running another program from safemode which was designed to remove this specific infection. It is similiar to the GMER tool but it is by ESAGELAB.com and I think its called tdss remover. However, it sometimes freezes the machine up or other times doesn't yield a result. If it does find the infection i've told it to remove it but it surfaces again after a cold restart.

I'm really at a loss. However i'd love to trace back my steps once this is fixed and find out how to get this again or if there was some way i could trap my existing infection i'd be more than happy to send it to you as in 10 years of removing infections i have never seen one this bad. I thought the MEBROOT Virus was bad but i'd have to say this infection I currently have has one up'ed MEBROOT.

Sorry for the lengthy post.
Paul

[pbolduc]

Okay so I am the e-mail administrator for this user who infected me. Funny thing is they were protected thanks to them running as a Domain User with policy restrictions running the latest version of SEPS. I will go back into the e-mail archieve backups I take every night I will source out this specific e-mail and I will send you the wonderful IP address this infection is coming from and wish you the best. For the record I am more stubborn than this infection I will not let it get the best of me as of this point i've been able to remove all infections with the help of wonderful tools and persistance. I will prevail and if I am really lucky I'll be able to track the author of this infection down so i can take a bit of holiday and kick some ***.

[Ferrit]

I dont see anything about rootkit repeal there or
rootkit revealer from sysinternals
You could try those possibly.
I also have an rootkit scanner by of all things
AVG which I have found very good. It was a beta on their site when I found it
while looking for rootkit programs. If none of the above works let me know.

[pbolduc]

I dont see anything about rootkit repeal there or
rootkit revealer from sysinternals
You could try those possibly.
I also have an rootkit scanner by of all things
AVG which I have found very good. It was a beta on their site when I found it
while looking for rootkit programs. If none of the above works let me know.

Hi Ferrit,

This infection is more than just a rootkit. The obvious signs of infection is the rootkit portion of it. The second part of the infection is in an encrypted area of the drive. I cannot remove it and no Antivirus software has been able to remove it or see that it is even active. This infection runs below the operating system level and is practically non-existant as it has such a small footprint. I need some serious help with this infection its driving me nuts.

[slgrieb]

Haven't seen this variant, but I would think you should be able to remove the encrypted files by either using the file management utility in a BartPE disk or at worst a disk editor like Runtime's DiskExplorer, Acronis DiskDirector, HxD, etc.

[pbolduc]

For those curious and following my complaints.

So far I've run serveral about half a dozen rootkit tools. Sys Internals, AVG Rootkit Repealer, and SOPHOS the whole gamit. This infection is looking more like a file system infection acting as a rootkit. It has no problem crashing and turning off ESET NOD32. I have installed Microsoft Security Essentails and I have run full system scans remotely using CureIT and CureIT live CD. Nothing detects this infection. It does some modification to the Atapi.sys driver as well as ACPI and a few others. This infection is really hard to spot where it is stemming from. Next to impossible. Rootkit finders don't show a whole lot of information and when i do get close to finding the initial infection it freezes my computer solid. Having to reboot. This infection also has no problem downloading and installing malware all by itself. It also has total control over my network card. Sometimes I can't even disable the NIC in time or disable it at all. It controls what I do and where I go. Congrats to the smart *** who created this beast of an infection. They've managed to go around all checks and scans and dominate the PC while being almost completely untraceable. I am not sure I have time to contact the nice people with combo fix regarding this infection as it is probably faster just to kill all partitions and mbr and restart again. But before i give up on this I am still hoping someone out there has another suggestion as i've exhausted everything I know how to do.

[geoscomp]

This IS a nasty one..so far formatting, zero filling and reinstall are the only things I've found that work. To read more about how it works, check here:
http://www.drweb.com/static/BackDoor...20TDL3)_en.pdf

[pbolduc]

Yep that article touches on what i am experiencing over here. Pure Hell! I've managed to contain it and stop it from spreading however i still haven't been able to totally terminate the sucker yet. The fight continues! Oh just for the record I'm saving my infected files for those who want to experience this joy too! =)

[pbolduc]

Hi,

Okay I've managed to kill the infection. I will post later the details as the only thing that has kept me going for this long is my insaneity and nerves. I wasn't able to use any scan tools, rootkit tools or antivirus tools and this fix was a lengthy manual process. It had nothing to do with the partition tables though, or if it did the infection has now been removed and unlinked to any association with the partition information. For now, to make a long story short it was merely a few registry keys and pesky files that needed to be removed outside of the operating system. I will elaborate more when I get some sleep.

If I had a girl friend or wife they would have probably left me by now. Anyway, I would like to extend a huge THANK YOU to the Windrivers forms community for pulling together and offering assistance. It was very much appreciated to know you were there willing to help and right by my side. You guys are a great bunch!

Take care and i'll be back!

[Bashox]

That's great news ! I have tried lots and lots of progs and tools and it's still active. Almost there to reinstall Vista.., so plsss show us how you did it

[pbolduc]

Okay so i'm going to make this as short and sweet as possible posting my exact steps taken to remove this invisible infection. PLEASE NOTE: This process only works for Microsoft Windows XP. This will not work with Vista or Windows 7. I am unfamiliar with that process. At the end I will make suggestions as to how you might want to tackle that.

There are some prerequisites that a person will need and these are:

1) An XP CD with integrated service pack of same level of Operating system currently infected.
2) WinInternals ERD Commander for remote registry editing and system restore functionality. (Explained later)

With my latest infection the backdoor.tdss.565 the latest variant still has no removal tool process for it yet. Nor do any rootkit revealer programs have any success removing this infection. This infection infected my Atapi.sys as well as a couple other kernel mode drivers which would continually re-infect the system upon cold reboot. The infection runs out of an invisible encrypted virtual ram drive and for the average user is impossible to spot. Thanks to the MBR.exe & TDSSKILLER by Kaspersky Labs theses tools were useful in diagnosing whether the infection was still active in the Kernel and now no traces are left behind or running.

My first steps were:
Remove all malware infections from safe-mode with updated program definitions using:
1) Combo-fix
2) Malware-bytes
3) Super-Anti-spyware
4) Spybot Search & Destroy

Second Step: Once clean of Mal-ware, Create a System Restore Point create this restore point in Normal mode but make sure the network cable is unplugged to prevent further malware re-infection and this restore point will be used for later.

Third Step: Boot off Win-Internals ERD or put hard-drive in another computer so that you can view the file system without the operating system running.

1) Navigate to infected %systemroot%\system32\drivers folder and delete all *.tmp files in my case tsk3.tmp & tsk5.tmp. There were a few other suspicious files I removed later from C:\windows folder (Explained Later)

2) Reboot PC and boot off XP CD and chose to perform a repair install. This will remove all kernel mode drivers & IE migration files and replace them with clean original files. It will also update the registry security permissions and values with the proper information for these drivers without the infection information.

IMPORTANT: Do not continue with XP Setup after text based setup is complete.

3) Immediately boot off of WinInternals ERD Disk. Restore your computer using the restore point feature to the last restore point you created. This will back date the registry before you began the repair installation allowing you to skip the XP GUI based portion of the installation.

4) Mount the now infected registry hive: %systemroot%\system32\drivers\config\system and navigate to: HKLM\System\CurrentControlSet\Services\Atapi

Make sure the "Image Path" value is: system32\DRIVERS\atapi.sys and not tsk3.tmp or tsk5.tmp Do this for all CurrentControlSets

5) Reboot PC into Normal Mode

After doing so I still received a Stop error: At which point I booted back up with System Commander and checked all security Permissions on atapi.sys in the registry. Not changing and just viewing these permission I ensure the security was set to inherit permissions from the parent key and the security / user permissions were propagating as they are suppose to. Rebooting again allowed me to boot directly into windows and after that I used tdsskiller.exe and MBR.exe to verify the infection was no longer active. At this point I was able to see the other remaining registry keys, files and services associated with the infection. I deleted these services manually from the command-line using sc delete "Service Name" noting their associated file path and manually deleting the associated files now visible and pathed out in the registry under the services key in HKLM.

Windowsupdate.microsoft.com is no longer blocked and windows updates are now installing.

6) If you had IE7 or IE8 installed prior to these steps you'll notice they will no longer start. Navigate to C:\windows\ie8 or C:\windows\ie7 respectively and use the spuninst.exe to back date IE. Reboot then re-install IE8. This functionality was removed when doing the text portion repair of the XP installation.


For Vista: I would move the hard-drive to another PC and navigate to the infected windows\system32\drivers. Delete all *.tmp files from this folder. I would also rename the atapi.sys to atapi.sys.bad kernel driver and well as from the C:\windows\system32\dllcache manually and expand fresh copies from the vista media disk in place of the old files. Also somehow you need to load the registry remotely and check the HKLM>System>CurrentControlSet>Services>Atapi location. Make sure this Image Path doesn't point to anything other than the Atapi.sys file in the windows system32 folder.

I have also noticed that there is typically associated infection files found in the user profile temp folder of who infected the PC as well as in their application data folder. I would recommend skimming through these folders to ensure nothing out of the ordinary is there. All .tmp files should be deleted in any temp folder to ensure nothing is accidentally missed.

Download and run tdssKiller.exe to find out if you are still infected once replacing those files and removing the associated tmp files. Hopefully you should be good to go. Let me know if you have any questions about this process.

Something you may want to try: http://www.freepcsecurity.co.uk/2009.../tdss-updated/ Now I attempted using this program, however it never actually ran for me as the infection disabled this program from running. Hopefully on Vista you will have better luck.

The TDSS-remover program I am referring to which I mentioned earlier I found at Kaspersky Labs.
The Kaspersky tool can be found here": http://support.kaspersky.com/downloa...tdsskiller.zip

In closing, please note that my infection was with the Atapi.sys file, however this infection could potentially infect different drivers such as iastor.sys. I guess it depends on what hard-drive controller the hard-drive is making use of or whatever it latches onto in the mass storage area.

[slgrieb]

very interesting and thanks for the update!

[Bashox]

Thanks for the description pbolduc , but i was able to get rid of it with a combination of the newest CureIt from Drweb and Nod32 and luck i guess. After 2 days i tried one more time a scan with the newest update from CureIt, and it scanned the trojan in serial.sys, and Nod32 detected a .tmp virus in the drivers folder at the same time with the name Win32/Olmarik.XG. I think the scanning of CureIt triggered the realtime protection of Nod32 on this temp file. That broke the cycle of infection, tdsskiller can't find anything, CureIt is ok, Windows Update is working again and the C partition is back in Disk Management. Strange that Nod32 never detected anything with the full scans. I also run a registry cleaner to get rid of the virus leftovers (i hope)
Not sure yet if it's completely gone, but it seems to be ok.

I can imagine that this virus is causing havoc now because there is no protection, only Vista/Win7 UAC can stop this from happening when visiting an infected website. I think it used Java for the infection, not sure yet.