Jump to content

New Virus Protects Itself by Freezing Hard Disk


Matsuda
 Share

Recommended Posts

New-Virus-Protects-Itself-by-Freezing-Ha


Security researchers from Vietnamese company Bkav have come across an interesting new virus that protects itself against antiviruses by freezing the hard disk.

Once it infects a device, the virus creates a sort of a restore point. All the modifications made on the system by the user – including editing documents, copying files, and downloading data from the Web – will be reset. All the newly copied files are erased.

The threat also changes the icon of the hard drive.

Various executable modules are dropped. Each of these modules serves a different purpose.

For instance, the Wininite module is designed to communicate with two command and control servers. One is located in China and one in the United States.

Another module, DiskFlt, is responsible for freezing the hard disk. To do this, the malware component creates a device that controls the reading and wiring of data on the disk.

“DiskFlt also creates a cache data area. When user has data reading/writing operations on disk, DiskFlt will create a copy of that data area and put it on the cache area. After this point, every reading/writing operation will be redirected to the cache area, which makes the user unable to change the data of the original disk,” Bkav experts noted.

PassThru is the network driver module that blocks or redirects certain websites, and Black.dll is the component that helps the virus propagate.

“Obviously, this virus can be considered a rootkit although it has quite a special self-protection mechanism. Instead of preventing counteractions to modules of the virus like normal rootkit, this new type prevents changes to the entire disk,” experts added.

In case your computer becomes infected with this virus, you can clean it with a special removal tool released by Bkav.

Bkav RootFreeze Remover


Source

Edited by Matsuda-NSANE
Link to comment
Share on other sites

  • Replies 10
  • Views 1.4k
  • Created
  • Last Reply

Top Posters In This Topic

  • demoneye

    1

  • x3r0

    1

  • ramiz0

    1

  • NomNom

    1

Top Posters In This Topic

Setup when executed on Windows 8 x64, gives an Error Not Support that System :wtf: !!!

Link to comment
Share on other sites

Thats a coinsidence before I sold my HTC Sensation 4G the ability to connect the htc phone to the internet through my computer existed but you needed to pay for the feature I installed it anyway and the driver name happened to be PassThru. Its a coinsidence only but my only question is how does one get infected by this virus. Does it infect through e-mail does it use html exploit as a drive by download whats its source of entry..

Edited by Holmes
Link to comment
Share on other sites

I think it's a worm, not a virus since it doesn't infect others files, but still it's a bad ass worm that the creator manages to create his own type of windows drivers.

Link to comment
Share on other sites

Pretty scary but I have a simple solution, take the hard drive out of the Pc and put it in an enclosure, then connect it to a Pc running a virtual environment or Linux, scan and remove.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...