Wednesday, January 18, 2012

SST Rootkit




                Just wanted to share with you the steps to take to remove the SST rootkit. It is also knows as Backboot.Gen by TDSSKiller. The best way to determine if you have this rootkit or not is to download and run the latest TDSSKiller. If the program does not launch at all, you likely are dealing with an SST infection. Make sure that you are running at least Windows XP Service Pack 2 for TDSSKiller to work. If you have sp1, TDSSKiller will not launch and you need to update your service pack before using TDSSKiller. You can also check the partitions on the PC, if any of the system drive's partitions are FAT format, you  may have the infection as well. Here are the step you need to take to remove this rootkit:

      Open up XueTr and navigate to the Kernel Tab > Notify Routine. You will see this:



You will notice that 2 of the items show up in red. We need to remove both of the ones here that have the module "unknown image". Right-Click on them and select delete on CreateProcess like this:



Then again for LoadImage:



      Open up TDSSKiller and make sure that it is the latest version. Once you scan, you should come up with “Rootkit.Boot.SST.x” – Cure the infection:

      Please note that you may have SST.b in TDSSKiller, all of the same steps apply to the "SST.b" variant. Also, it is VERY IMPORTANT that you do not cure any other infections at this point. If you have SST, you need to cure that but skip all other infections that tdsskiller might find. If you find that you are infected with ZeroAccess as well, please refer to the ZeroAccess section of this blog for further instructions once you have cleared out SST. 

 

      You will be prompted to overwrite the MBR code due to TDSSKiller not being able to “Cure” it, as long as the infected PC does not have a setup running a custom boot loader, select “Yes” 



      Reboot with TDSSKiller and you are all set. 



Make sure to remove all other infections after removing SST. A good mbam full scan should do the trick. Email me if you have questions/comments.

1 comment: