Srizbi rootkit removal instructions

[scorpion 0]

Large numbers of infected computers have been searching in vain for the Srizbi botnet disrupted by the disconnection of ISP McColo a week ago, a security vendor has found.

 

 

 

Srizbi rootkit removal instructions

 

http://www.techworld.com/security/news/index.cfm?newsID=107278

 

http://blog.fireeye.com/research/2008/11/srizbi-removal-instructions.html

 

 

Step 1: Backup the system (recommended)

 

Windows XP

 

For Windows XP users, we strongly recommend creating a System Restore point before starting this disinfection process. System Restore can help users revert back all the changes to the system in case something goes wrong (such as a random power loss). For more information on System Restore, please refer to http://support.microsoft.com/kb/306084.

 

If system restore is not yet enabled on your system, please follow the instructions here http://support.microsoft.com/kb/310405

 

Windows 2k (Professional and AS)

 

Unfortunately, the System Restore feature is not available in Windows 2000, so users must back up all of their important files using other tools before continuing the disinfection process.

 

Step 2: Identify and Remove the Rootkit Driver

 

Step 2-1: Start the system in Safe Mode

 

When the system starts in Windows' "Normal" mode, Srizbi uses a kernel level rootkit to hide its files and registry entries. For this reason, we need to start the infected machine in Safe Mode to see the changes made by Srizbi. Information on how to start Windows in Safe Mode can be found here http://support.microsoft.com/kb/315222.

 

Some recent variants have been seen which can also hide their files in Safe Mode, but most do not.

 

Step 2-2: Verify Srizbi Infection

 

Once the infected system is rebooted in Safe Mode, we can try to find some files created by Srizbi. One particular file to look for is a batch (.bat) file, having content like the following:

 

:abc

 

del "C:\D7641A4046742F3294AD4600B15C5E20.exe"

 

if exist "C:\D7641A4046742F3294AD4600B15C5E20.exe" goto abc

 

rmdir "C:\"

 

del "C:\DOCUME~1\worm\LOCALS~1\Temp\_it.bat"

 

Of the hundred+ samples analyzed in FireEye labs, the file that Srizbi executed was in the root directory - C:\. A unique feature of this batch file is the string ":abc" at the beginning of the file. Search for such a batch file on the system disk.

 

You'll want to use the search function on Windows to accomplish this.

 

a) Make sure the "Show Hidden Files" option is enabled. If not, follow these steps to turn it on:

 

My Computer --> Tools --> Folder Options --> View

 

Check the 'Show Hidden Files and folder' option.

 

Uncheck the 'Hide protected operating system files' and 'Hide extensions for known types' boxes.

 

Press Ok.

 

b) In the "File Name" box, enter *.bat

 

c) In the "A word or phrase in the file" box (just below the name box), enter :abc

 

d) You will also need to tell Windows to search for hidden files and folders, by going to 'More Advanced Options' in the lower part of the Search bar. Click it and check the "Search the hidden files and folders option".

 

e) Press the "Search" button and wait to see if system can find any such files. Normally this file only has 3 or 4 small characters in its name, similar to:

 

_it.bat

 

svs.bat

 

If the search finds any such files on the Windows system drive, the system is almost certainly infected by Srizbi for which our removal instructions below will help.

 

NOTE: If the search fails to find such files, the system may be infected by another Srizbi variant which can hide its files even under Safe Mode. In this case, the user should boot from some other bootable media (like Knoppix) that can read the hard drive directly, as at that time the infected OS will not be able to hide the Srizbi infection. A later article will describe this in more detail.

 

Step 2-3: Removing the Infection

 

After the infection is verified, a user can follow one of the following two approaches to disinfect the system.

 

Approach 1. System Restore (Only available for Windows XP)

 

Right click on the .bat file and try to find out its creation date. If you have a System Restore point prior to this creation date, you can choose to restore the system from that. For more information on System Restore one might refer to http://support.microsoft.com/kb/306084.

 

Approach 2. Manual Disinfection (Applies to both Windows XP and 2000)

 

The idea here is to locate a driver (.sys) and an executable (.exe) which was created just before or after the creation of this .bat file (within a minute). In Windows we can search based on the creation dates.

 

a) Type *.sys, *.exe as the file name for which to search.

 

b) Go to the "When was it modified" option in the search bar. Check 'specify dates', Select "Created Date". Now the type the same date when that 'bat' file was created, both in the “toâ€

[securityhombre 0]

Good work posting this tutorial scorpion. This backdoor trojan is pretty sneaky. Some peeps are scared manually removing trojans. Malwarebytes free removal tool should do this process pretty easily so newbies go download and remove away. Evil evil programmers making these viruses. psssh!

 

 

 

[security Hombre]

[ak357 0]

Good work posting this tutorial scorpion. This backdoor trojan is pretty sneaky. Some peeps are scared manually removing trojans. Malwarebytes free removal tool should do this process pretty easily so newbies go download and remove away. Evil evil programmers making these viruses. psssh!

[security Hombre]

 

Scorpion posted this tutorial in Nov 08

[securityhombre 0]

Well people still do searches and come up with these results. Might as well throw in other options for those people. Right? The posts do not delete and I figure might as well refine them for the greater good of the forum.

[scorpion 0]

For your troubles ask for help here even if you are not computer "literate".

 

http://icrontic.com/forum/forumdisplay.php?f=57