Hi All,

Sometimes I just have to write because tonight I received a PHD in Vista Viruses. Yes, a new generation of viruses is evolving and this was the meanest nastiest virus I’ve ever seen. Perhaps, not deliberately it crashes the system on boot. The virus is an emulated service with a driver attached to the file system as an alternate stream. If you can stay awake I learned an immense amount tonight and I think people will be interested in this one.

I have a new Vista RTM Ultimate system with Avast Virus protect. I opened an “iffy” file from the net thinking that if it had a virus that virus detection would catch it. How wrong could I be? My system instantly black screened and I saw system32:lzx32.sys wiz by which didn’t look like a real driver name to me. It looked exactly like a virus, I though as I waited for my system to reboot. It almost rebooted before it crashed again. Hmmmm, I thought. So I booted the system in safe mode only to see it crash again. “I’m in trouble….” I booted the CMD in Vista which I think is really nice and looked for Lzx32.sys only to find out that it wasn’t on my disk. So I rebooted only to have lzx32.sys crash my system again.

I wheeled my old system out and booted it and connected it to the net to research this file and found that it is associated with a rather clever virus named, Backdoor.Rustock.B. It does all kinds of things to a system and is what is know as a dreaded rootkit virus because it attaches itself to a directory root.

My opions as far as my system was concerned were pretty limited at the time so I thought about the full image backup of the system disk I’d made last week and had carefully put away. I smiled as a retrieved it the two high dual layered DVDs and booted the Vista DVD and finally got to the repair section to start an full PC recovery. I was beyond dismayed when no matter what I did the Vista Full system recovery could not recognize the ever so carefully prepared backup disk. I realized that I now only had two options. I could either fix my the system or spend the next week re-installing. I moaned at that. So I rebooted my old system and began reading closely on this virus. I read where it has been adapted to Visa. I was really curious about why I couldn’t find this lzx32.sys and I began reading up on NTFS recovery tools at Sysinternals. As I read I suddenly understood the adjective “multiple streams”. At the time, I did not know that DIR has a new /R switch – which find multiple stream files.

This virus also starts a pseudo service and has a registry key. So I booted the DVD again and tried to use regedit but I realized that regedit was referencing the DVD’s ramdisk registry and the registry on the C drive. Hmmmm are there any registry editors that can edit a group of registry files? Regedit would not import relevant registry files. I sat back and thought about this and realized that I was in more trouble than I thought. Most virus scanners and detectors are designed to run on running systems. There aren’t many products that run on a virtually dead system. I began to realize just how much trouble I was in and began to look at tools for spotting rootkits. On my old system, I downloaded a number of promising forensics tools and copied them to a flash disk and rebooted the Vista DVD. One by one I watched these tools simply die in their execution. One called Blacklight and another called LNS had looked really promising but they both failed. I was down to one last little 32KB command line program called LADS. At least it could see the offending virus and I also had a plan on how to kill it and the tools is surprising. From FAQ: NTFS and ADS there was this set of instructions:

The method above does not work when the ADS is attached to a directory. If you need to remove, for instance c:\Windows:harmful.exe without reinstalling Windows, you could use this trick. (If you use NT 5.x, you need a copy of Notepad.exe from NT 4!)

1. Open the ADS with Notepad:
C:\NT4Tools\Notepad.exe c:\Windows:harmful.exe

2. Delete the entire content of the ADS

3. Close notepad. It will ask whether you want to save your changes

4. Answer YES

5. Notpad will tell you that the file is empty and that it will delete it

The sophisticated tool for killing this kind of file is Notepad! Only Notepad would not open it. So I tried notepad2 and it wouldn’t open it. LADS did detect the driver but it gave the wrong filespec of c:\windows\system32\:lzx32.sys. I realized that LADS should not have put in the last “\” and removed that in my command to Notepad2.:

C:\Windows\Notepad c:\windows\system32:lzx32.sys and watched notepad fillup with binary which was the dreaded lzx32.sys itself. HAPPILY I did a control-A and then hit the delete key and watched the editor clear. I then saved the empty file and rebooted my system. As soon as I logged on I ran avast and Avast find several of Backdoor.Rustock.B’s friends. Then it informed me that there was a kernel hook and that the system should be rebooted and a boot time scan needed to be made. That was really impressive to watch. Finally, I rebooted the system and used regedit to delete the registry entry for the pseudo service and Vista is working fine.

So I have a message for the developer in Russia who wrote this. Sir, you’ve been had by a sixty year old woman in the US. Yes, you cost me an evening and I learned a lot – but we have your number. pbpbpbpbpbpb. What's worse is that you've been had by Notepad the rootkit virus killer!!!!!

__________________
Prasanna Vignesh
MCPD | Web Developer

Wait this sounds serious. If I got this Virus, I can't boot backup DVD? How it that possible? Does it modified the motherboard flash memory? Or the backup DVD doesn't load its own OS, like PC DOS?

Hi naveen,



I have a little bit more to add.

My restoration procedure was not a correct one. I researched the newsgroups on this and many people were reporting the same results.

There is something correct but counter intuitive about the way microsoft does these backups. The restorer inserts the last volume first and not the first volume. I come from the mainframe sector and we always started when the first volume and then the second. This worked until either the volume set is restored or until there was no unallocated disk space to work on. Sometimes this is highly advantageous because at least it will at least get you up and running.

By doing it this way, the restoration is a closed loop. One has the metadate and will know if there is enough space on the target volume. However, it's my guess that if the target is smaller than the total amount to be backed up, recorvery will not allow you to proceed.

The Executable for the recovery process is safe on the Vista DVD and it is booted. That's the only safe way to proceed.

__________________
Prasanna Vignesh
MCPD | Web Developer

I am kind of confused? I am not an welll knowladged on virus and backup utilities. Is it because your later partition is smaller than the backed up data (not the backup partition size), so, you can't use DVD recover?

What's the requirement to recover backedup partition or backedup drive? The destination partition has to be bigger than the Backedup Data or the Backedup Partition Size?

And does this virus ever stop me from recover Full Backedup DVDs? Like totally destroied partitions so my destination partition is no longer allocable.

__________________
Prasanna Vignesh
MCPD | Web Developer

Cool, thanks for clear that up. I will be sure to recover from the last disc, which is really really weird. Hehe, one more question, is it possible for a virus to delete files in another drive, or infect a data drive and re-infect back to the Os drive? I have a drive only store data, video games, and music files. I didn't back up my media. I only backup the OS drive. Is it safe to assume virus only attacks OS drive?

"Hehe, one more question, is it possible for a virus to delete files in another drive, or infect a data drive and re-infect back to the Os drive?"

This is a complicated question actually. Vista makes it less likely. What a virus can do depends on how it is activated and the permissions it gets. If it's activated with administrator privileges, it's possible for a virus to do almost anything especially when it was running as a service as this one was.

Yes, viuses can create files and caches, modify files with copies of themselves and some viruses are polymorphic meaning that they establish thmelves with multiple names on a system. Often a virus will have cooperating images so that if one is deleted it will be replaced. Some viruses and malware are "quiet viruses" they aren't all that visible and they just quietly gather intelligence on your system and relay that data beack to some site. They also have acted as gateways for people to take control of a system or to open windows for other viruses.

Vista will go a long way to thwart these because many viruses are built to under the XP file structure which has been largely redone on vista. But as I discovered, new ones are being written all the time. It is not at all safe to assue that a virus will attack only the system disk because a virus can simply ask for a list of drives. If one wanted to write a truly destructive virus, the safest thing for a virus to do would be to start deleting files on other disks or partitions first and then to attack the OS disk because it's most likely to be caught there.

thnks

__________________
Prasanna Vignesh
MCPD | Web Developer

Thank you very much. Now I am getting concerned. I should backup my media drive sometime in the future. I don't want to lose my presious pictures gathered from websites. It took me a really long time to build up my library.

Hi all

This was really interesting... except I cant find lzx32.sys using LADS.exe. The BSD specified this file as the reason for the crash and I downloaded LADS and ran it on the C: drive without result. Ant suggs as to where it might be hiding would be much appreciated

Thanks
Prem

yes... the virus is an additional ADS stream tacked onto \system32. It is not a separate file.

I don't know what version of Vista you have but I have ultimate which is really helpful with its Boot recovery code. I also don't know if ordinary Notepad will work as I used Notepad2 which was pre-installed on my system. What I did was to open the file: system32:Lzx32.sys.

Notepad2 actually opened the virus. I cut the virus and then saved the file STREAM. LADS is not needed actually once you knows what the file is.

if your version of notepad won't work and if you can't install Notepad2 on a UFD drive then write a simple program in vb6 or C++ that opens the system32:Lzx32.sys, writes "" into it and then closes the files. That's all there is to it.

__________________
Prasanna Vignesh
MCPD | Web Developer

Maybe instead of notedpad it's easier to use Sysiternals "Streams" utlil to remove such named streams. I tried this on XP, but i think under Vista it will work too.

http://download.sysinternals.com/Files/Streams.zip

Dont get vista then, xp is perfect anyway

That was a beautiful story.

Nothing can stop the power of the mighty backup. May I recommend the following procedures when making the backup...
1) Do not use Windows Vista crappy mode or whatever they call it when you make backups, use 'Mastered Mode' which is readable on older OS's like MSDOS.
2) Instead of using a system restore or other such software, burn only the files you wish to keep. There is no need to backup your entire drive.

I would disagree. I have about 30 gb of installed software. Quiet honestly it takes me about six months to get a system like I really want it. This means that I have a large investment in time in my system and preserving it is really important to me. That means it's quite worthwhile to backup my system.

My hardware is all bleeding edge. The XP boot disk won't even boot without adding intell drivers for the board so I doubt older versions of DOS would do much good and that can't read NTFS anyway.

__________________
Prasanna Vignesh
MCPD | Web Developer

Vista's Ultimate's PC backup is quite complete. I boot is with installation CD, and click restore from PC backup. Everything is back to normal. Of course, that means the backup has to be before virus attack. I usually keep few backups. One is the core of Vista installation; a backup right after I install Vista and activation. A backup with core software installations, like Office 2007. And finally with important software installtions and tweaks, like Flash Get, setup default download path and such.

Just beware the check box in Ultimate PC restore. I checked it and it formated my other drive that is not part of the restore drive. I lost all my precious media files because of that.

My nephew asked me to take a quick look at his new Laptop, it has a registry Virus on it that continues to bring up the Windows Explorer has stopped working window.

Norton doesn't clean it off, much less point out it has a problem.

Problem Event Name: APPCRASH
Application Name: explorer.exe
Application Version: 6.0.6000.16386
Application Timestamp: 4549b091
Fault Module Name: xtsyynm.dll_unloaded

anyone know a quick fix or is paving the drive and starting again the only possibility?

__________________
Raja. Myblog

One of the options you might want to try is a system restore. If you have the vista cd, you can boot off of it and then choose to repair the existing installation. That will often fix the problem.

Otherwise, there's a good chance that it's spyware, not a virus. Download and run SpyBot Search & Destroy from here:
The home of Spybot-S&D!

__________________
Prasanna Vignesh
MCPD | Web Developer

I'll have to agree... the problem is most likely because of something that was installed on the computer (gotta be careful what you download). System restore is a very good option:

http://www.howtogeek.com/howto.....m-restore/

It's also very useful to get familiar with SpyBot, since it's one of the better anti-spyware tools.

Norton isn't very good, but did you make sure the virus definitions are up to date before scanning?

I am thinking this is malware .. not unnecessarily a virus. I would boot into "safe mode" then run Spybot after you download the most current updates.

If Spybot does not detect and remove it ... you might want to go into the Registry and manually remove it ... but that would depend upon your comfort level ... You don't want to mess around in the Registry unless you know exactly what you're doing.

__________________
Venkat
knowledge is Power

Hi guys,

Everytime i open internet explorer 7 it should bring up about:blank but instead takes me to (http://)protectionwarning(.com) and i get a pop-up saying i have a virus and to make a registry edit.

Has anyone found a way to remove this? AVG found and removed a virus a couple of nights ago and ad-aware keeps bringing up 3 trojans which i wipe everytime.

__________________
H2O

Without us, no one can survive..