Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: gmer rootkit removal

From: Chip <jeffschips () gmail com>
Date: Sat, 09 Feb 2013 18:45:31 -0500
On 2/9/2013 6:03 PM, Michael D. Wood wrote:

Gmer, to my knowledge, was only successful in removing the TDL family
of rootkits.  As I remember,  I don't ever recall it submitting info
to the developer?  Are you saying it asked, or this is what you found
gmer changing on the system?  Did the executable come from the
original source?  http://www.gmer.net/
Did you find the system driver gmer installs called "catchme.sys"?

----- Reply message -----

To: <framework () spool metasploit com>
Subject: [framework] gmer rootkit removal
Date: Sat, Feb 9, 2013 11:47 am


Anybody familiar with Gmer rootkit removal product?

http://www.pentestit.com/gmer-rootkit-removeal-tool/

The developer asks users to submit reports after running the software
which include such entries as the following but then does not get back
to the submitter.  I'm wondering if the data sent, such as the
following, could be used to remotely compromise a machine (the
following entries have been altered to protect the innocent):



Rootkit scan 2013-02-02 16:11:41
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 ->
\Device\Ide\IdeDeviceDDEAL0-3 WDC_WD8754AAKS-95B4B0 rev.06.03B01 325.09GB
Running: gmer.exe; Driver: C:\DOCUME~1\somename\LOCALS~1\Temp\agryypod.sys


---- System - GMER 2.0 ----

SSDT   \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet
Self Protect Driver/Windows (R) Win 7 DDK provider)  ZwCreateKey
[0xF87D0AJD]

Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY]
[67854088]                                                              
pIofCallDriver
Code   \WINDOWS\system32\ntkrnlpa.exe[PAGEVRFY]
[8764971E]                                                              
pIofCompleteRequest

---- Kernel code sections - GMER 2.0 ----

.text 
C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                         
section is writeable [0xH6J843C0, 0x757UCA, 0xHYUK9820]

---- User code sections - GMER 2.0 ----

.text  C:\WINDOWS\system32\SearchIndexer.exe[0976]
kernel32.dll!WriteFile                                               
9KLU765FF 7 Bytes  JMP 987JHYT0C C:\WINDOWS\system32\MSSRCH.DLL
(mssrch.dll/Microsoft Corporation)

---- Registry - GMER 2.0 ----

Reg   
HKLM\SYSTEM\CurrentControlSet\Control\Video\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}\0000@D5F_\x4456\x4456
         5678435689
Reg    HKCU\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{A9785YT9-98JU-KHI8-BIU7-8694JU86098G}  

---- EOF - GMER 2.0 ----

Thank you.  The executable was downloaded from the gmer.net site.  No,
the executable did not -- to my knowledge -- automatically submit
information.  The gmer.net site asks if a user has any questions, to
forward the results of the scan, which I did, because I had a specific
question:  No reply. 

I am not pointing a finger at the gmer developer in the least, as it
does appear at least on the surface to do the job it says it does. 
However, all the output from the scan to my untrained eye seems to
contain a lot of information that could be used by a malicious user --
again, I am not saying the developer is malicious -- to develop code
specifically for that one machine and I'm asking if anyone familiar with
this kind of information cares to comment on that.  By the way, what do
you mean when you say "Gmer, to my knowledge, was only successful in
removing the TDL family of rootkits".  What is TDL?

And where would someone look for catchme.sys - I can't find it in the
system32 folder.

Thank you kindly.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: