Metasploit mailing list archives
Re: gmer rootkit removal
From: "Michael D. Wood" <mike () itsecuritypros org>
Date: Sat, 09 Feb 2013 19:15:57 -0500
Oh no problem, didn't think you were pointing fingers at all. Just asking questions to gather more information from you. I used to do in depth virus and malware analysis for AVG and used a lot of these tools for years. Its been a while, but I believe the "catchme.sys" gets installed in the temp directory. Also, dump the registry, I believe the file gets removed. Tdl or tdss was part of the Alureon craze, gmer was a one-hit-wonder for that. Look it up, good stuff. If I'm not mistaken (it was used in the google hack a few years ago) anyone correct me if I'm wrong - I'm watching tv and too lazy to check my references. ----- Reply message ----- From: "Chip" <jeffschips () gmail com> To: "Michael D. Wood" <mike () itsecuritypros org> Cc: <framework () spool metasploit com> Subject: [framework] gmer rootkit removal Date: Sat, Feb 9, 2013 6:45 pm On 2/9/2013 6:03 PM, Michael D. Wood wrote: Gmer, to my knowledge, was only successful in removing the TDL family of rootkits. As I remember, I don't ever recall it submitting info to the developer? Are you saying it asked, or this is what you found gmer changing on the system? Did the executable come from the original source? http://www.gmer.net/ Did you find the system driver gmer installs called "catchme.sys"? ----- Reply message ----- To: <framework () spool metasploit com> Subject: [framework] gmer rootkit removal Date: Sat, Feb 9, 2013 11:47 am Anybody familiar with Gmer rootkit removal product? http://www.pentestit.com/gmer-rootkit-removeal-tool/ The developer asks users to submit reports after running the software which include such entries as the following but then does not get back to the submitter. I'm wondering if the data sent, such as the following, could be used to remotely compromise a machine (the following entries have been altered to protect the innocent): Rootkit scan 2013-02-02 16:11:41 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 rev.06.03B01 325.09GB Running: gmer.exe; Driver: C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows (R) Win 7 DDK provider) ZwCreateKey [0xF87D0AJD] Code \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [67854088] pIofCallDriver Code \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY] [8764971E] pIofCompleteRequest ---- Kernel code sections - GMER 2.0 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820] ---- User code sections - GMER 2.0 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[0976] kernel32.dll!WriteFile 9KLU765FF 7 Bytes JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456 5678435689 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G} ---- EOF - GMER 2.0 ---- Thank you. The executable was downloaded from the gmer.net site. No, the executable did not -- to my knowledge -- automatically submit information. The gmer.net site asks if a user has any questions, to forward the results of the scan, which I did, because I had a specific question: No reply. I am not pointing a finger at the gmer developer in the least, as it does appear at least on the surface to do the job it says it does. However, all the output from the scan to my untrained eye seems to contain a lot of information that could be used by a malicious user -- again, I am not saying the developer is malicious -- to develop code specifically for that one machine and I'm asking if anyone familiar with this kind of information cares to comment on that. By the way, what do you mean when you say "Gmer, to my knowledge, was only successful in removing the TDL family of rootkits". What is TDL? And where would someone look for catchme.sys - I can't find it in the system32 folder. Thank you kindly.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Joshua Smith (Feb 09)
- <Possible follow-ups>
- Re: gmer rootkit removal Michael D. Wood (Feb 09)
- Re: gmer rootkit removal Chip (Feb 09)
- Re: gmer rootkit removal Michael D. Wood (Feb 09)