[Z] Follow up: Nasty new parasite
<From Spyware Weekly Newsletter>
Last month, I warned about a nasty new parasite (http://www.spywareinfo.net/may18,2004#parasite) that had been discovered. This parasite hides itself from Windows, is nearly impossible to detect and nearly impossible to remove.
It turns out our new parasite is protected by an open source NT rootkit called Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks. Anything protected by Hacker Defender is a real pain to find and remove.
There is a possible method for removing this thing easily. This information is from a member of our message board who prefers to remain nameless. No guarantees that this will work.
In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip
If you are infected you can try the following: If your system drive (usually C:) is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt.
If your system drive is formatted with the NTFS file system, download Bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a pre installed environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.
You can read more on HackDefender here: http://bagpuss.swan.ac.uk/comms/hxdef.htm
It's also worth mentioning that if the computer in question boots more than one operating system and your other OS has access to that hard drive, then you can simply boot to the other OS and delete the directory and files with no interference.
Last month, I warned about a nasty new parasite (http://www.spywareinfo.net/may18,2004#parasite) that had been discovered. This parasite hides itself from Windows, is nearly impossible to detect and nearly impossible to remove.
It turns out our new parasite is protected by an open source NT rootkit called Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks. Anything protected by Hacker Defender is a real pain to find and remove.
There is a possible method for removing this thing easily. This information is from a member of our message board who prefers to remain nameless. No guarantees that this will work.
In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip
If you are infected you can try the following: If your system drive (usually C:) is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt.
If your system drive is formatted with the NTFS file system, download Bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a pre installed environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.
You can read more on HackDefender here: http://bagpuss.swan.ac.uk/comms/hxdef.htm
It's also worth mentioning that if the computer in question boots more than one operating system and your other OS has access to that hard drive, then you can simply boot to the other OS and delete the directory and files with no interference.