4 Replies Latest reply on Jan 26, 2010 11:33 PM by ALeah

    Root kit?  Is there protection against this?

      There is a virus, probably a root kit that keeps hitting my home computer network.  It has totally disabled my mother's computer by apparently deleting the content of system32 file and several Windows operating system files.  Her machine now works on DOS only.

       

      This virus must have hid in the machine attracting multiple UDP packets to repeatedly hit the machine, disguising the sender as our modem IP, 192.168.0.1.  McAfee appeared to have been bouncing the packets,but something got through.

       

      Both machines on the network have Security Center 9.15.

       

      I offered to reinstall her operating system a few days ago, but she did not want to reset all her information, favorite web sites and so on.  Today, the machine cannot be used at all.

       

      To keep my own machine free of this, I reinstall the operating system whenever it starts getting hit by multiple UDP packets.  This seems to control the problem but is a real pain.  McAfee is running at all times, but this one seems to move into the machine a few bites at a time and is not detected by McAfee.

       

      Mom's machine will not even restore from the hidden partition.  I'm working on getting a system file of some kind into it, so that it will recognize the restore command.

       

      Any ideas?  Can I send any data on this machine to McAfee and get it analyzed?

        • 1. Re: Root kit?  Is there protection against this?

          UDP packets coming from your router are normal and most likely not the source or a virus. It is still possible an active virus could attempt to communicate using UDP packets but generally there is no point in trying to "spoof" or fake the source IP (your router) especially to a non-internet accessible IP Address.

           

          If the computer cannot start at all or get to the manufacturer's recovery tools/partition, you may have hardware failure or a corrupted hard drive. This is more likely than a virus wiping out Windows files. I would suggest having a local computer technician look at the hard drive, backup whatever data can be recovered, and proceeding from there.

           

          If you have a Windows installation CD, you might be able to start a recovery console (XP) or a command prompt (Vista/7) and run the command CHKDSK /F on the hard drive. This may repair a damaged file system. I have also created a Boot CD that can perform this task as well. You can find it at the following post:

           

          http://community.mcafee.com/thread/6923

          • 2. Re: Root kit?  Is there protection against this?

            Thanks for the reply, Mark.  I don't really understand what you mean.  192.168.0.1 is not my router, it is the ADSL modem.  Why would it need to send multiple UDP packets per second?  and never to the same port? It slows down the computer and McAfee is reporting it as an outside attempt to scan the computer.  This is coupled with the fact that for a few days, we had someone remoting in and occassionally taking over the mouse control.

             

            I ran netstat with IE closed and recorded the IP's that appeared to be intruders.  I looked up the IPs to see which ones belonged in the system (Google, McAfee, Windows update) and which ones did not.  The ones that originated in China and also the ones for noncorporate use, were placed on the banned list and hence, no longer trouble us.

             

            As a side note, Microsoft had a downloadable boot disc for windows xp, so I got the disabled machine running with it, but I'm not happy with the prospect of a possible robotic scan of the computer.

             

            So, could you explain the constant UDP packets?  What are they used for?  thanks!

            • 3. Re: Root kit?  Is there protection against this?

              Your ADSL modem is acting like a router too. Otherwise, private (NAT) IP addresses like 192.168.x.x would never be able to communicate with the internet without "routing". The UDP packets usually come from multimedia streams or services like universal plug and play and Windows File/Printer Sharing. UDP packets are a normal part of the internet and will not impact your system performance. Another example of UDP is from online games and some voice over IP technology. Some VPNs use UDP as a transport for the tunnel. One of the most common UDP uses I can think of is DNS; the method of turning www.website-name.com into an IP address that the computer/networks can understand.

               

              A machine behind a hardware firewall/NAT router should not be receiving mass amounts of unsolicited UDP packets unless a system in the network requested it or the router was instructed to forward the packets.

              A computer receiving UDP packets that is also up-to-date and not running a program that receives the packets is in no danger. If the packets did come from the internet, they would not be "spoofed" to come from your router. Otherwise, the return data would go to the router and not back to the internet/remote attacker (unless they had physical access or a physical connection to your network hardware).

               

              I recall there being at least 2 major vulnerabilities 5+ years ago in SQL and UPnP in which to communicate with those programs, UDP packets were used and it was exploited. Also, a very large flood of UDP packets could be used as a Denial of Service attack to use up bandwidth but this scale of attack would be far greater than what you probably will see.

               

              When you run netstat, you will not see UDP connections as UDP is a connectionless protocol. The connection to China would be questionable, especially if you did not have a program connecting to that site. It is possible you have a rootkit/bootkit and it has a kernel driver acting as the application to request UDP data from the internet (making the router forward it through).

               

               

              Bottom Line

              -------

              A lot of things are possible, but highly improbable in the case you described. The attack would have to be extremely advanced. It seems more likely that there is a misconfiguration or service that was running fine all the time in the background but once the firewall made this normal background traffic visible, it seemed like a concern when there was nothing to be concerned about.

              • 4. Re: Root kit?  Is there protection against this?

                I've found the virus.  it was called "Krap.w"  (i'm not making this up) and yes, it was a rootkit.(plus 5 replicates of itself on the system)

                 

                What a pain.  apparently, microsoft discovered this on 01/12/10,installing with the Aurora problem.

                 

                No, I never thought someone was remoting in via UDP, I thought a virus was using UDP to bit torrent a download.  I'm guessing from the reactions I got that nobody thought this was an important problem.  Mom lost her entire hardrive.  Had to format and reinstall the whole O.S.  Lost all her pictures of Gandkids, links, tax forms, the works. My workplace lost the data on an entire server.  I reinstalled the O.S. on my laptop once a week since about November.

                 

                Yeah.

                 

                wish someone would develop a rootkit killer.

                 

                Seriously, I appriciate your explanations.  now I understand a little more.  Mom knows whatever I can explain to her.  this was a bad virus.  First appeared when someone broke into the house last fall.  go figure.