All In Tech

Recently one of the graphic designers at my work brought his laptop in and asked me to have a look at it for him. The symptoms were simple. When it booted up whether to safe mode or normally it would just boot into a blank screen with a mouse pointer(active) showing.

A bit of googling revealed that a worm has been going around which causes the above symptoms. It installs a file in C:\Windows and adds a registry value into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 named midi9 with a fairly random looking value that from memory was along the lines of C:\windows\system32\..\vqfasf.tmp wqerkjla. As you notice the ..\ actually puts the file back into C:\windows so a bit of subterfuge there in hiding the file.

The one site I found that talked about how to fix it advised copying the registry file from C:\windows\system32\config and loading the hive in another computer to remove the registry entry.

Rather than doing this I found it was easier to delete the file using NibleX instead and then booted without any issues and removed the entry from the registry.

The original article I saw the information in regarding the worm and removal method can be found here(google translated since its in Korean): http://translate.google.com/translate?hl=en&sl=ko&tl=en&u=http%3A%2F%2Fcore.ahnlab.com%2F58

Some quick instructions:

I used SARDU with NimbleX and NT Passwd to make the changes

1. First boot up with NT Passwd to use the registry editor to retrieve the filename

1. Select the windows volume and choose Option 2(Recovery Console option)
2. use cd to navigate to the registry key (Microsoft\Windows NT\CurrentVersion\Drivers32
3. use ls to list registry values  and type to display the setting of a value(eg type midi9)

2. Take note of the filename that you need to delete, reboot into NimbleX CLI mode( or GUI if you prefer)

3. Run mount -t ntfs-3g -o force /dev/sda1 /mnt/sda1 ( The force is required as the volume is most likely dirty from being improperly shutdown)

4. Browse to and deleted the file then rebooted into windows

5. Remove the registry entry you navigated to earlier

An update to this post:

I found out a little later that the worm spreads through USB after the Graphic Designer got reinfected so after removing worm make sure before you put any other USB drives into your system you follow the instructions at http://www.sizlopedia.com/2008/03/18/disable-usb-autorun-to-save-pc-from-usb-viruses/.

SARDU and NimbleX as mentioned in the post can be found at http://www.sarducd.it/index.html with a video tutorial available by clicking ‘Tutorial’ on the left hand side menu.

Be the first to like.

Like

Unlike

I have created a google dork honeypot over the weekend.

The reason behind this project is to hopefully be able to graph some results in the coming months as to just how much google dorks are being used by the modern day worms to spread.

You can view the static page at paymentgatewayonline.info

Be the first to like.

Like

Unlike

Recently I came across a very useful tool that any system repairer should have in their toolbox. The tool is named SARDU(Shardana Anvirus Rescue Disk Utility) and is available from http://www.sarducd.it/

The tools it is set up to provide are:

Antivirus

• Avira
• Bit Defender
• Dr. Web
• F-Secure
• GData
• Kaspersky
• Panda Security
• VirusBlokAda

At the time of writing it can only automatically update the antivirus definitions on your USB stick for Avira, F-Secure and Kaspersky.

For Utilities it includes:

• Windows 98 Boot Disk
• Clonezilla
• Gparted
• NT Pwd
• Parted Magic
• System Rescue CD
• Ultimate Boot CD

It also provides some small Linux Distros to use:

• Austrumi
• Damn Small Linux
• NimbleX
• Puppy Linux
• Slax

And lastly it also allows you to use one of several available WinPE:

• Live XP
• Mega Lab CD
• Windows PE
• UBCD 4 Win
• VistaPE

The utility is excellent and very easy to use. You get all the utilities you want to use(links are included on the site), place them in the iso folder and click the Make Bootable USB option and it’ll start extracting and collating the files. It automatically detects which of its options you have in the iso folder(no need to click on the checkboxes) and will tick all the ones that apply. As it finishs processing each item it will turn the background color green so its easy to see where it is up to.

Once it has finished it will ask you to select your USB drive. The USB drive will need to be formatted as a FAT32 volume to function and spacewise mine is sitting at 1.67gb at present with all the Antivirus software, NimbleX and Slax, UBCD, Clonezilla, Parted Magic, NT Pwd, System Rescue CD and Ultimate Boot CD. I didn’t try out any of the WinPE options yet.

Downloading all the necessary files was ~1.5 GB and updating the Antivirus was fast for Alvira and F-Secure however Kaspersky takes awhile due to the large number of files to download. The application does warn that its slow updating Kaspersky however.

All together a tool I’d recommend anyone add to their toolkit for its utility and ease of updating.

Be the first to like.

Like

Unlike