New Virus Protects Itself by Freezing Hard Disk

[Matsuda]

Security researchers from Vietnamese company Bkav have come across an interesting new virus that protects itself against antiviruses by freezing the hard disk.

Once it infects a device, the virus creates a sort of a restore point. All the modifications made on the system by the user – including editing documents, copying files, and downloading data from the Web – will be reset. All the newly copied files are erased.

The threat also changes the icon of the hard drive.

Various executable modules are dropped. Each of these modules serves a different purpose.

For instance, the Wininite module is designed to communicate with two command and control servers. One is located in China and one in the United States.

Another module, DiskFlt, is responsible for freezing the hard disk. To do this, the malware component creates a device that controls the reading and wiring of data on the disk.

“DiskFlt also creates a cache data area. When user has data reading/writing operations on disk, DiskFlt will create a copy of that data area and put it on the cache area. After this point, every reading/writing operation will be redirected to the cache area, which makes the user unable to change the data of the original disk,” Bkav experts noted.

PassThru is the network driver module that blocks or redirects certain websites, and Black.dll is the component that helps the virus propagate.

“Obviously, this virus can be considered a rootkit although it has quite a special self-protection mechanism. Instead of preventing counteractions to modules of the virus like normal rootkit, this new type prevents changes to the entire disk,” experts added.

In case your computer becomes infected with this virus, you can clean it with a special removal tool released by Bkav.

Bkav RootFreeze Remover


Source

Edited September 18, 2013 by Matsuda-NSANE

[knowledge]

:

Edited January 13, 2017 by knowledge

[SlimRock]

Setup when executed on Windows 8 x64, gives an Error Not Support that System :wtf: !!!

[Holmes]

Thats a coinsidence before I sold my HTC Sensation 4G the ability to connect the htc phone to the internet through my computer existed but you needed to pay for the feature I installed it anyway and the driver name happened to be PassThru. Its a coinsidence only but my only question is how does one get infected by this virus. Does it infect through e-mail does it use html exploit as a drive by download whats its source of entry..

Edited September 18, 2013 by Holmes

[demoneye]

bad news consider to be good news by let us know :)

10x!

[ramiz0]

:o

[x3r0]

I think it's a worm, not a virus since it doesn't infect others files, but still it's a bad ass worm that the creator manages to create his own type of windows drivers.

[NomNom]

Pretty scary but I have a simple solution, take the hard drive out of the Pc and put it in an enclosure, then connect it to a Pc running a virtual environment or Linux, scan and remove.

[jimbojet2011]

Just disable creating restore points

[ande]

Not applicable under x64 LUA Windows 7/8/8.1 unless execution of unsigned drivers is enabled (which is not by default).

[humble3d]

Many thanks for the heads up ... :blush: It's good I'm stocked up on pencils, pens and paper... :)