GMER discovers a new MBR based rootkit in the wild . . .

EDITED: 1/10/2008 to remove information about possibly using ntbtlog.txt to detect the rootkit.  The driver load routine for the rootkit seems to be non-standard and thus unlikely to appear in ntbtlog.txt

You can read the gory details of it here:

Some things I’d like to point out:

  1. To open a disk for raw disk access (i.e. the method by which you can write to a raw disk sector) requires admin rights.  If you run as non-admin or are on Vista with UAC this malware won’t be able to modify your MBR

  2. To fix a modified MBR you can use the Windows Recovery Console and use the ‘fixmbr’ command.  You boot the recovery console by using your Windows CD / DVD.  So the fact that this malware doesn’t use any registry based ASEPs, is actually a pretty big weakness – it makes it easier to defeat. 🙂

I believe our own AV team will be posting additional technical details in their blog real soon now. 🙂