Hi All,
Sometimes I just have to write because tonight I received a PHD in Vista Viruses. Yes, a new generation of viruses is evolving and this was the meanest nastiest virus I’ve ever seen. Perhaps, not deliberately it crashes the system on boot. The virus is an emulated service with a driver attached to the file system as an alternate stream. If you can stay awake I learned an immense amount tonight and I think people will be interested in this one.
I have a new Vista RTM Ultimate system with Avast Virus protect. I opened an “iffy” file from the net thinking that if it had a virus that virus detection would catch it. How wrong could I be? My system instantly black screened and I saw system32:lzx32.sys wiz by which didn’t look like a real driver name to me. It looked exactly like a virus, I though as I waited for my system to reboot. It almost rebooted before it crashed again. Hmmmm, I thought. So I booted the system in safe mode only to see it crash again. “I’m in trouble….” I booted the CMD in Vista which I think is really nice and looked for Lzx32.sys only to find out that it wasn’t on my disk. So I rebooted only to have lzx32.sys crash my system again.
I wheeled my old system out and booted it and connected it to the net to research this file and found that it is associated with a rather clever virus named, Backdoor.Rustock.B. It does all kinds of things to a system and is what is know as a dreaded rootkit virus because it attaches itself to a directory root.
My opions as far as my system was concerned were pretty limited at the time so I thought about the full image backup of the system disk I’d made last week and had carefully put away. I smiled as a retrieved it the two high dual layered DVDs and booted the Vista DVD and finally got to the repair section to start an full PC recovery. I was beyond dismayed when no matter what I did the Vista Full system recovery could not recognize the ever so carefully prepared backup disk. I realized that I now only had two options. I could either fix my the system or spend the next week re-installing. I moaned at that. So I rebooted my old system and began reading closely on this virus. I read where it has been adapted to Visa. I was really curious about why I couldn’t find this lzx32.sys and I began reading up on NTFS recovery tools at Sysinternals. As I read I suddenly understood the adjective “multiple streams”. At the time, I did not know that DIR has a new /R switch – which find multiple stream files.
This virus also starts a pseudo service and has a registry key. So I booted the DVD again and tried to use regedit but I realized that regedit was referencing the DVD’s ramdisk registry and the registry on the C drive. Hmmmm are there any registry editors that can edit a group of registry files? Regedit would not import relevant registry files. I sat back and thought about this and realized that I was in more trouble than I thought. Most virus scanners and detectors are designed to run on running systems. There aren’t many products that run on a virtually dead system. I began to realize just how much trouble I was in and began to look at tools for spotting rootkits. On my old system, I downloaded a number of promising forensics tools and copied them to a flash disk and rebooted the Vista DVD. One by one I watched these tools simply die in their execution. One called Blacklight and another called LNS had looked really promising but they both failed. I was down to one last little 32KB command line program called LADS. At least it could see the offending virus and I also had a plan on how to kill it and the tools is surprising. From
FAQ: NTFS and ADS there was this set of instructions:
The method above does not work when the ADS is attached to a directory. If you need to remove, for instance c:\Windows:harmful.exe without reinstalling Windows, you could use this trick. (If you use NT 5.x, you need a copy of Notepad.exe from NT 4!)
1. Open the ADS with Notepad:
C:\NT4Tools\Notepad.exe c:\Windows:harmful.exe
2. Delete the entire content of the ADS
3. Close notepad. It will ask whether you want to save your changes
4. Answer YES
5. Notpad will tell you that the file is empty and that it will delete it
The sophisticated tool for killing this kind of file is Notepad! Only Notepad would not open it. So I tried notepad2 and it wouldn’t open it. LADS did detect the driver but it gave the wrong filespec of c:\windows\system32\:lzx32.sys. I realized that LADS should not have put in the last “\” and removed that in my command to Notepad2.:
C:\Windows\Notepad c:\windows\system32:lzx32.sys and watched notepad fillup with binary which was the dreaded lzx32.sys itself. HAPPILY I did a control-A and then hit the delete key and watched the editor clear. I then saved the empty file and rebooted my system. As soon as I logged on I ran avast and Avast find several of Backdoor.Rustock.B’s friends. Then it informed me that there was a kernel hook and that the system should be rebooted and a boot time scan needed to be made. That was really impressive to watch. Finally, I rebooted the system and used regedit to delete the registry entry for the pseudo service and Vista is working fine.
So I have a message for the developer in Russia who wrote this. Sir, you’ve been had by a sixty year old woman in the US. Yes, you cost me an evening and I learned a lot – but we have your number. pbpbpbpbpbpb. What's worse is that you've been had by Notepad the rootkit virus killer!!!!!