Nasty New Rootkit Patches Atapi.sys
Posted by malwarekilla in Malware Warnings on 11 16th, 2009 | 31 responses
For the past 7 days I've been seeing a new rootkit (not sure of the name) that patches the atapi.sys driver. This rootkit was NOT detected by any of the applications I use in my bootable anti-malware toolkit. Full scans with:
- Avira
- SAS
- MBAM
- Spyware Doctor
- GMER
revealed nothing. I was still getting all searches in any browser redirected to scam sites. I usually don't like running Combofix on Vista, but I had no choice. Sure enough Combofix detected a rootkit and disinfected it! Again, the rootkit infected the atapi.sys driver which redirected all searches and probably downloaded a few randomly named exe's to the system32 directory.
Related Posts
Related posts:
- Atapi.sys Rootkit is EVERYWHERE! Man...every client I've seen for the past 2 weeks...
- Internet Security 2010 Rogue, Winlogon2.exe and Other Fun Things for this Week… I've been pretty busy this week with malware appointments...
- Malware Status for Summer 09 – Notes To Self My malware removal business has exploded this month. More...
- Using Combofix On Windows Vista and Windows 7 – I wouldn’t As far as I can tell you should NOT...
- Skynet Rootkit – When Malware with Movie Names Attack! No, the global A.I. network of man killing machines...
Related posts brought to you by Yet Another Related Posts Plugin.
Related Posts
Combofix replaces this infected file with a clean one – thus saving the day. I also carry with me a cd of a fresh install of both XP & Vista, so I have every system file at seconds reach
Been there, done that! That sounds precisely like one of the infections I was dealing with last week and Combofix was the only one that I found that not only detected the infection, but removed it. Combofix is a must have in my arsenal.
29/10/2009 16:52:59 Detected: Rootkit.Win32.TDSS.u E:\WINDOWS\system32\drivers\atapi.sys
This is log from Kaspersky, so looks like this one is not bad either
BTW I use Combofix most of the time, only initial scan is done on another machine with Kaspersky.
I wonder if it has anything to do with this article I found.
http://news.drweb.com/show/?i=687&c=5
If not this is still a nasty infection
John
Pretty scary stuff… Just wanted to say thanks for the new Panda AV and MS Security Essentials videos you posted this weekend! Those were great!
Wait where are the panda and mse reviews i cant find them anywhere?
incurable rootkit(( what’s the name of it((
@the croatian sensation – I haven’t had to chance to make them…rogue antivirus infections have exploded and so have my amount of appointments $. I’m taking off all next week for Thanksgiving, so I’ll be uploading a ton of stuff then.
@Matt- Thanks man I cant wait to see the new vids and congrats on the new work! Continue doing what youre doing everyone loves the no b.s. reviews. I was glad that you still told spyware doctor that they need a lot of improvement even though theyve been hooking you up for the past year. Congrats! Keep them coming!
It’s kind of pointless to run GMER at all IMO. It doesn’t kill any running processes, so it’s no wonder it didn’t work for you. Combofix uses GMER, but it kills open processes *first*. So why waste valuable time with a regular GMER scan?
Hitman Pro 3.5 build 79 detects and removes TDL3 infections. Release is October 23.
Hello,
I think I saw this rootkit on several PC’s I had to repair.
Unfortunately AVG and AVAST decided to remove the file ATAPI.SYS and several other ones, causing crash after restart.
I had on 3 computers this week a fatal blue error : 0×0000007B.
This is real error as you cannot boot after that.
I will probably try to get infected to see which files are infected and let you know, if I have time to do such investigations…
This is how I did it.
Get a copy of pendrive linux
http://www.pendrivelinux.com
Create a boot USB drive.
Get a clean copy of atapi.sys and place it on that USB drive. Get it from a machine that has the same OS and service pack as
infected machine.
Boot the USB on the infected machine, select NTFS read/write mode.
navigate to windows/system32/drivers
Rename the existing infected file and copy over the new one.
Remove all existing malare that comes from that bastard from china, like winlogin86.exe,winupdate86.exe, 4.exe,41.exe and the fake antivirus software in program files called internetprotect 2010 or what ever it is.
Reboot and remove the pen drive.
After the machine comes back up, reinstall iexplorer, and have fun fixing all the stuff in the registry, remove all that policy junk it put in there.
also you may need to run “netsh winsock reset”
Takes about 2 1/2 days work.
Have fun, reinstalling the OS is faster and works better. (only takes a day)
Yeah I have it too Exactly the same as you described nothing detects it – not even Hijack This
I went to download ComboFix on bleeping computer but the link is dead saying that the programmers have pulled ComboFix from the internet for now. http://download.bleepingcomputer.com/sUBs/ComboFix.html
Do you know about this or have an alternate way to download it?
Thanks
Tony
GMER does detect this! It shows atapi.sys suspicious modification.
Try the ComboFix Beta, now named KittyFix.
http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe
Or just use a boot disk to delete and replace C:\WINDOWS\system32\drivers\atapi.sys with a clean copy. You might have one in
C:\WINDOWS\ServicePackFiles\i386
If you cant wait for the new release, the beta of the new release is available here:
http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe
Bob & Darren
Thanks to both.
I tried to download Kitty Fix from the link you listed, but after the download was finished, it flashed a window with the message:”You cannot rename ComboFix as Kitty Fix”, and then it flashed out and nothing got started at all.
As for the alternative solution of reloading a new copy of atapi.sys from the Windows CD-ROM. Well, when I purchased my laptop it came with Windows XP Professional, and I did not receive a CD-ROM for the OS. I am not sure what else is available other than getting a new copy from the disc.
Thirdly, as if trying to get rid of the Rootkit.Win32.TDSS.u E:\WINDOWS\system32\drivers\atapi.sys was not painful enough, I now have another virus called Seifr.sys too! And neither Zone Alarm nor RemoveIT Pro v4 can remove, even after reboot.
This must be nasty virus season on the net.
Hey Matt, the detection is possible via Kaspersky too. Kaspersky is known to have the faster signature detection in the antivirus world, usually a few hours and something is detected by signatures.
Hi, first of all, I’m Spanish so ignore my mispellings if possible.Also, I’m slightly retarded when it comes to computers, so any answer should be simple. Like, 5-year-old girl simple. Now, I have a Toshiba laptop with a crappy video card but a good everythingelse, WinVista and Nod32 as my antivirus program. Problem is a file name olmarik attached to atapi.sys, so now there’s no happy ever after.People in other forums said “delete”, said “I deleted, then threw away the computer and kick the cat” or said (I’m going for this one) “reinstall a clean version of that atapi thing”. So if any of you would have the patience to explain to me how could I do that… Even if you don’t have “do” tips, I really need the “don’t”s so I won’t make it worse. I really need this laptop for work. I deleted the most recently intalled things, and anything I wasn’t very sure of in the first place, deleted temporals, and made Nod 32 scan the whole thing, but now I’m stuck as I don’t know if I should leave the trojan there (although it appeared along with another 3 viruses, so it gives me the creeps that it’s inviting friends to come over) or risk it and try to fix it.
Please help me?
Update: after restarting I have 2 new malwary stuff, again in the win32 folder, so I really want to get rid of the damn ¿rootkit?. After reading many (MANY) times your solutions to this here, I still have a couple of doubts:
a)Do I need to get a clean copy of atapi.sys that is from the same OS I have, or an XP would be compatible on my Vista?
b)Do I have to put that copy in a CD or USB, or just click on it after letting Combofix erase the diabolic one?
c)I DO have to rename the clean copy after the infected one? Do I have to place it in the folder or just dobleclick?
Using Kaspersky’s TDSSKiller, as outlined in this post, http://www.bleepingcomputer.com/forums/topic278052.html, worked for me.
KittyFix download is not working, it flashes a warning after it fisnishes downlaod saying”You cannot rename ComboFix as Kitty Fix”. Then the window disappears, and nothing happens after that. No KittyFix downloaded, no nothing.
How long will it take for one of these AV programs on Cnet or MajorGeek to actually catch up and be able to not only detect but actually REMOVE this damn thing?
So far Zone Alarm is the only one that detects it but it fails to REMOVE.
I have the same problem, apprently it is the ‘win32:Alureon’ virus.
I just hope it havent send any of my passwords to its source
I got zapped with this trojan which messed up my atapi.sys file. Combofix has been helpful but my IE7 and Firefox search engines are still being redirected and I am being attack every 20 minutes or so from this ip address 212.117.174.176
Malwarebytes has also been helpfull and removed a handfull of viruses and trojans. But the atapi.sys infection is a nasty one to fix.
In the mean time I’ve down loaded a very cool keystroke encrytor called Keyscambler which I highly recommend. I got it from Majorgeeks.com
I need a clean machine as I am unemployed and use it for job searching and submitting resumes. Glad to get 2009 over with. Bring on the new decade.
Happy New Years!
Okay –
ComboFix got rid of the bad ATAPI.SYS, but when I rebooted, I just got the blue screen of death.
Found out that atapi.sys was missing from the \windows\system32\drivers directory.
I put it back using recovery console. I booted up with no problems.
However, atapi.sys keeps deleting itself from the drivers directory, and every time I boot my machine, I have to go into recovery console and copy the file over again. Frustrating to say the least!
Any ideas?
AndrewBrooklyn – I’m releasing a guide on this issue tomorrow morning (C.S.T)…it’ll be called something like “How To Remove and Clean Up the TDSS Malware Pack”…somthin like that. I would post it tonight but I’m actually removing those infections on client PC’s as week speak. Stay tuned.
Wow! Great news — I’ll certainly be looking forward to it!
There are 2 instances of atapi.sys in Windows -> in system\drivers AND system32\dllcache. Both will be infected by this rootkit. If you don’t overwrite both it’ll keep coming back after every boot.
Does anyone have extensive information on what this rootkit actually does? Does it only redirect searches or does it have other malicious uses as well?
Mine created a fake svchost.exe in win\temp every 5 minutes on the dot. There was extensive communication with a couple IP addresses registered to RIPE Network Coordination Centre. Some of the malware my (now ex-)AV software managed to catch were keyloggers.
If it weren’t for the stupid redirects I’m not so sure I would have even noticed this one. My ’security’ software sure didn’t.
the one i got came in a “package” with a whole slew of other viruses. After killing them off, the one in the atapi.sys file stayed behind.
How i got rid of the SOB:
1. burn a linux live CD (get Puppy linux if you are impatient, only about 400MB)
2. memorize the location of atapi.sys, you will need to know this
3. get a working copy of windows on another machine or hard drive, navigate to the same directory ON THAT SYSTEM where the clean atapi.sys file is located, and copy to a flash drive
4. reboot the infected computer with the liveCD in it, it should load the disk.
5. open 2 windows in linux, 1 to the directory where the infected file is, and another to the flash drive.
6. copy the clean file OFF THE FLASH DRIVE to the directory where the infected file is, and overwrite it. Alternatively, delete the infected file first before copying.
7. reboot, and make sure the liveCD is out before it starts loading.
thats what i did, and it worked like a charm.