So...this is kind of clever honestly.
Rombertik malware wipes hard drives to prevent detection | ZDNet
Rombertik malware wipes hard drives to prevent detection | ZDNet
Rombertik Malware Wipes MBR and User's Files if Detected
- Thread starter carnageX
- Start date
Define your version of clever, since your a programmer.
Just by looking at rombertik I would say the antivirus/malware companies and possibly MS ight need to program a special tool for dos and have it look for the malware algorithm.
Also seing as how this is serious, I would say they would need to boot before os starts up and take it down.
I don't even program but atleast I can see of a few ways to get rid of it safely.
What you have here is russian roulette infections. :/
I say itt's clever because when it's scanned or attempted to be removed in a certain way, it has 2 "destruction" methods, 1 as a primary method and secondary as a "backup" method.
Method 1) Kill the MBR - this of course will only work on MBR systems (and not GPT systems).
Method 2) Failing to kill the MBR (i.e. no access to the MBR or on a GPT-based disk), then it will encrypt files in the user's home folder (presumably everything under C:\Users\<username>\ ). The good thing however, is that it's only using RC4 encryption (which is apparently fairly easily brute-forced) rather than what Cryptolocker uses (AES-2048). The bad thing is each file is encrypted with random key, so you'd have to brute force each file.
The safest way to get rid of it would be to use a Linux LiveCD...although you'd have to already know what you're infected with in order to properly remove it.
Fixing the MBR (Method 1 of the malware) is easy - just gotta boot off of a Windows disc and run fixboot / fixmbr.
Method 1) Kill the MBR - this of course will only work on MBR systems (and not GPT systems).
Method 2) Failing to kill the MBR (i.e. no access to the MBR or on a GPT-based disk), then it will encrypt files in the user's home folder (presumably everything under C:\Users\<username>\ ). The good thing however, is that it's only using RC4 encryption (which is apparently fairly easily brute-forced) rather than what Cryptolocker uses (AES-2048). The bad thing is each file is encrypted with random key, so you'd have to brute force each file.
The safest way to get rid of it would be to use a Linux LiveCD...although you'd have to already know what you're infected with in order to properly remove it.
Fixing the MBR (Method 1 of the malware) is easy - just gotta boot off of a Windows disc and run fixboot / fixmbr.
Similar threads
