Hello all,

Here you will find a short write-up about new rootkit discovered recently.

And once again big thanks to Tammy & MJ

http://www2.gmer.net/mbr/

Regards,
Gmer

Wow! Thanks gmer. Much appreciated.

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

I did see something about this on MR. Interesting, thanks and glad Gmer detects it:

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

A removal update -

If you have a Dell computer you can't run fixmbr from the recovery console to restore your MBR in the event you become infected with an MBR rootkit.

Because Dell has proprietary code on its MBR, you should instead make a backup copy of any Dell PC's MBR so you can restore it in the event of corruption. To make the backup you can use mbrsaver which is program contained in a set of utilities called dsrfix. You can download dsrfix.zip here:
http://www.goodells.net/dellrestore/files/dsrfix.zip

Read about the MBR backup/restore commands here:
http://www.goodells.net/dellrestore/fixmbr.htm

I have written up a detailed procedure here to backup and restore your MBR:

First, you will also need to make a DOS boot disk as follows:
In XP

• Insert a floppy disk into the floppy drive of an uninfected Windows PC
  
• Click My Computer
  
• Select the floppy drive letter - let's assume it's A:
  
• Right-click A: and select "format", check the "Create an MS-DOS startup disk".
  
• Click Start
  
• You will get a confirmation message when the format is complete.
  
• Remove the boot floppy and boot into Windows normally.

• Download dsrfix.zip
  
• Extract dsrzip to a folder you create such as C:\dsrfix (there will be four files extracted, but you only need to use one of them.)
  
• Insert the boot floppy in the floppy driver, again.
  
• Copy the file mbrsaver.com to the boot floppy.
  
• Change your boot sequence in Setup (usually triggered by hitting the F2 key at system restart), so your PC boots to the floppy device first (if necessary)
  
• Reboot to the floppy.
  
• To save the Dell MBR, type in the following command and hit Enter:
  mbrsaver /s dellmbr.bin
  
• Now the MBR is saved in the file dellmbr.bin

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Thank you negster22

One more thing to add, if you do not have a copy of MBR you can use bootable Linux to restore original MBR stored in sector 62.

Thanks for that alternative method using a bootable Linux CD.

Gmer passed this Washington Post article on to me about the new MBR rootkit and Gmer's ability to detect it so - I am passing it on.
http://blog.washingtonpost.com/securityfix/

Excellent work, Gmer!!

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

You also have the FIXMBR command you can run from the recovery console or a BOOTCD

And do not forget the old hex-editor, you can keep a copy of your MBR, I usually do it when I first create a disk copy MBR to Sector 2. (C-0, H-0, S-1) to (C-0, H-0, S-2).

You can always just load up the disk in another machine copy S-2 back to S-1.

Dave

By the way...
Hello N and L... and everyone for that matter. I hope everyone is enjoying a phenomenal new year!!

Dave