Recently our HoneyPot has collected a virus sample which sends challenging message to any antivirus software.
“[Sab0tagE] : The Next Level
Your computer has been SABOTAGEd.
Where is your AntiVirus when you need one?
You talk of times of peace for all,
And then prepare for war.
Remember! Even you win the rat race, you are still a rat!
Silver FoX – Lampung Underground”
Once the system is infected with this kind of virus (it is detected as W32. DownloadWinsLnr.Trojan by Bkav), Windows directory will be locked. Users cannot access this folder any more, and even antivirus software cannot detect the hidden virus if set in User mode.
Actually, the technique which DownloadWinsLnr uses is quite simple. It only needs to set permisison on Windows directory, denying all accesses to this directory, which allows the virus to perform all the above actions.
However, the virus creator, while giving such challenging messages, cannot anticipate that Kernel mode is not controlled by permission setting. And most of high-profile antivirus softwares have a module working at Kernel level. Thus, once virus signature is regconized, antivirus software will easily remove it from the system, but windows directory still can not be normally accsessed. If you encounter this situation, you can use this tool to bring your system back to normal operation.
CanhDK
Malware Researcher
Leave a reply
