Author Topic: Unknown MBR code  (Read 7178 times)

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Unknown MBR code
« on: March 27, 2012, 08:29:54 PM »
aswMBR shows an unknown MBR code. The machine is NOT a Dell or HP (or any other system with a recovery partition). I am not running any boot managers or any other utility that should change the MBR. I installed the drives and have imaged/restored them with ghost many times. I'm running Windows XP. No hidden partitions that I can find.

Neither aswMBR or TDSSKiller show active infections although TDSSKiller does locate \Device\Harddisk0\DR0 ( TDSS File System ), assuming from a past infection although I don't know when or what software removed the infection.

Is the "unknown MBR code" anything to worry about?

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-26 10:32:36
-----------------------------
10:32:36.125    OS Version: Windows 5.1.2600 Service Pack 3
10:32:36.125    Number of processors: 2 586 0x209
10:32:36.125    ComputerName: SAM  UserName: gandolph
10:32:36.437    Initialize success
10:51:36.781    AVAST engine defs: 12032601
11:13:28.781    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
11:13:28.781    Disk 0 Vendor: WDC_WD20EADS-00S2B0 01.00A01 Size: 1907729MB BusType: 3
11:13:28.781    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19
11:13:28.781    Disk 1 Vendor: ST3160023AS 3.05 Size: 152627MB BusType: 3
11:13:28.796    Disk 0 MBR read successfully
11:13:28.796    Disk 0 MBR scan
11:13:28.843    Disk 0 unknown MBR code
11:13:28.843    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        29996 MB offset 63
11:13:28.843    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       122628 MB offset 61432560
11:13:28.875    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        99998 MB offset 312576705
11:13:28.875    Disk 0 Partition - 00     0F Extended LBA           1655102 MB offset 517373325
11:13:28.875    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       255102 MB offset 517373388
11:13:28.890    Disk 0 Partition - 00     05     Extended            499999 MB offset 1039823190
11:13:28.890    Disk 0 Partition 5 00     07    HPFS/NTFS NTFS       499999 MB offset 1039823253
11:13:28.906    Disk 0 scanning sectors +3907024065
11:13:28.968    Disk 0 scanning C:\WINDOWS\system32\drivers
11:13:38.296    Service scanning
11:13:49.203    Modules scanning
11:13:52.265    Disk 0 trace - called modules:
11:13:52.281    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:13:52.281    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a67dab8]
11:13:52.281    3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a67e9e8]
11:13:52.281    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8a667d98]
11:13:52.625    AVAST engine scan C:\WINDOWS
11:13:59.218    AVAST engine scan C:\WINDOWS\system32
11:16:48.375    AVAST engine scan C:\WINDOWS\system32\drivers
11:17:01.750    AVAST engine scan C:\Documents and Settings\gandolph
11:17:17.500    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\gandolph\Desktop\MBR.dat"
11:17:17.515    The log file has been saved successfully to "C:\Documents and Settings\gandolph\Desktop\aswMBR.txt"



12:13:30.0531 3824   TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
12:13:31.0062 3824   ============================================================
12:13:31.0062 3824   Current date / time: 2012/03/27 12:13:31.0062
12:13:31.0062 3824   SystemInfo:
12:13:31.0062 3824   
12:13:31.0062 3824   OS Version: 5.1.2600 ServicePack: 3.0
12:13:31.0062 3824   Product type: Workstation
12:13:31.0062 3824   ComputerName: SAM
12:13:31.0062 3824   UserName: gandolph
12:13:31.0062 3824   Windows directory: C:\WINDOWS
12:13:31.0062 3824   System windows directory: C:\WINDOWS
12:13:31.0062 3824   Processor architecture: Intel x86
12:13:31.0062 3824   Number of processors: 2
12:13:31.0062 3824   Page size: 0x1000
12:13:31.0062 3824   Boot type: Normal boot
12:13:31.0062 3824   ============================================================
12:13:33.0171 3824   Drive \Device\Harddisk0\DR0 - Size: 0x1D1C1116000 (1863.02 Gb), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:13:33.0187 3824   Drive \Device\Harddisk1\DR1 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:13:33.0203 3824   \Device\Harddisk0\DR0:
12:13:33.0203 3824   MBR used
12:13:33.0203 3824   \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A962B1
12:13:33.0203 3824   \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3A962F0, BlocksNum 0xEF827D1
12:13:33.0203 3824   \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x12A18AC1, BlocksNum 0xC34F2CC
12:13:33.0218 3824   \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1ED67DCC, BlocksNum 0x1F23F38A
12:13:33.0234 3824   \Device\Harddisk0\DR0\Partition4: MBR, Type 0x7, StartLBA 0x3DFA7195, BlocksNum 0x3D08FC7E
12:13:33.0234 3824   \Device\Harddisk1\DR1:
12:13:33.0234 3824   MBR used
12:13:33.0234 3824   \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A18A82
12:13:33.0531 3824   Initialize success
scan a bunch of files - everthing is OK
12:13:48.0515 3888   ============================================================
12:13:48.0515 3888   Scan finished
12:13:48.0515 3888   ============================================================
12:13:48.0531 3880   Detected object count: 0
12:13:48.0531 3880   Actual detected object count: 0
12:13:59.0296 3928   ============================================================
12:13:33.0531 3824   ============================================================
12:13:59.0296 3928   Scan started
12:13:59.0296 3928   Mode: Manual; TDLFS;
12:13:59.0296 3928   ============================================================
12:14:07.0875 3928   MBR (0x1B8)     (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk0\DR0
12:14:08.0062 3928   \Device\Harddisk0\DR0 ( TDSS File System ) - warning
12:14:08.0062 3928   \Device\Harddisk0\DR0 - detected TDSS File System (1)
12:14:08.0078 3928   MBR (0x1B8)     (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR1
12:14:08.0140 3928   \Device\Harddisk1\DR1 - ok
12:14:08.0140 3928   Boot (0x1200)   (a45abe50bcd6cd7377d0eff06ce75429) \Device\Harddisk0\DR0\Partition0
12:14:08.0140 3928   \Device\Harddisk0\DR0\Partition0 - ok
12:14:08.0187 3928   Boot (0x1200)   (4ee9c2d7df7c34039c36db13a414bd1d) \Device\Harddisk0\DR0\Partition1
12:14:08.0187 3928   \Device\Harddisk0\DR0\Partition1 - ok
12:14:08.0203 3928   Boot (0x1200)   (938e0e53cae7382e02cd96e10c5dd0dc) \Device\Harddisk0\DR0\Partition2
12:14:08.0203 3928   \Device\Harddisk0\DR0\Partition2 - ok
12:14:08.0218 3928   Boot (0x1200)   (7e4e853ca9726e35959723a10e561236) \Device\Harddisk0\DR0\Partition3
12:14:08.0218 3928   \Device\Harddisk0\DR0\Partition3 - ok
12:14:08.0234 3928   Boot (0x1200)   (deda2e871b32dbdfc831e497686119a6) \Device\Harddisk0\DR0\Partition4
12:14:08.0234 3928   \Device\Harddisk0\DR0\Partition4 - ok
12:14:08.0234 3928   Boot (0x1200)   (29ef3976cd62e3e90a2ab2e5f1bf33ca) \Device\Harddisk1\DR1\Partition0
12:14:08.0234 3928   \Device\Harddisk1\DR1\Partition0 - ok
scan a bunch of files everything is OK
12:14:08.0234 3928   ============================================================
12:14:08.0234 3928   Scan finished
12:14:08.0234 3928   ============================================================
12:14:08.0250 3920   Detected object count: 1
12:14:08.0250 3920   Actual detected object count: 1
12:14:37.0718 3920   \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
12:14:37.0718 3920   \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
12:14:39.0687 3816   Deinitialize success

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #1 on: March 27, 2012, 08:32:41 PM »
Re-run TDSSKiller and select delete for this line

\Device\Harddisk0\DR0 ( TDSS File System )

If you have a standard system then you can fixmbr from the recovery console or ask aswMBR to do it for you

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #2 on: March 28, 2012, 01:27:56 AM »
Is there any reason to fix the MBR if everything is working fine?

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #3 on: March 28, 2012, 03:53:28 PM »
Could the unknown MBR code be a new unidentified rootkit?

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 729
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #4 on: March 28, 2012, 03:56:37 PM »
Upload the MBR.dat [a copy of your MBR code] here:
www.virustotal.com

it is located here:
C:\Documents and Settings\gandolph\Desktop\MBR.dat

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #5 on: March 28, 2012, 05:57:59 PM »
Nothing found, but if it was a new threat they wouldn't detect it, right?

Offline Asyn

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 24867
    • >>>  avast! Forum - Deutschsprachiger Bereich  <<<
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #6 on: March 28, 2012, 06:21:05 PM »
Nothing found, but if it was a new threat they wouldn't detect it, right?

Forget true indian and wait for essexboy..!!!
XP SP3 - avast! 9.0.2017 - CIS 3.14 [FW/D+] - MBAM 1.75 [On Demand] - Firefox ESR 24.4 [NS/ABP/EHH/BP] - Thunderbird 24.4 [EM/CH]
Deutschsprachiger Bereich -> avast! Wissenswertes (Downloads, Anleitungen und Infos): http://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #7 on: March 28, 2012, 07:15:38 PM »
Could you upload the mbr.dat to Mediafire and post the sharing link, I will then have a look at it

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #8 on: March 29, 2012, 06:14:12 AM »
Copy of MBR is located here:

http://www.mediafire.com/?y7p0349z4oyiihc

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #9 on: March 29, 2012, 05:47:42 PM »
I can see nothing untoward in the code - Analysis below

Code: [Select]
MBR Analyzer v1.1.1

File : C:\Users\Martin\Desktop\MBR.dat

--------------------------------------------------------------

--OFFSET--  0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-  0123456789ABCDEF

0x00000000  33C08ED0BC007CFB5007501FFCBE1B7C  3À.м.|ûP.P.ü¾.|
0x00000010  BF1B065057B9E501F3A4CBBEBE07B104  ¿..PW¹å.ó¤Ë¾¾.±.
0x00000020  382C7C09751583C610E2F5CD188B148B  8,|.u..Æ.âõÍ....
0x00000030  EE83C610497416382C74F6BE10074EAC  î.Æ.It.8,tö¾..N¬
0x00000040  3C0074FABB0700B40ECD10EBF2894625  <.tú»..´.Í.ëò.F%
0x00000050  968A4604B4063C0E7411B40B3C0C7405  ..F.´.<.t.´.<.t.
0x00000060  3AC4752B40C64625067524BBAA5550B4  :Äu+@ÆF%.u$»ªUP´
0x00000070  41CD1358721681FB55AA7510F6C10174  AÍ.Xr..ûUªu.öÁ.t
0x00000080  0B8AE0885624C706A106EB1E886604BF  ..à.V$Ç.¡.ë..f.¿
0x00000090  0A00B801028BDC33C983FF057F038B4E  ..¸...Ü3É......N
0x000000A0  25034E02CD137229BE4607813EFE7D55  %.N.Í.r)¾F..>þ}U
0x000000B0  AA745A83EF057FDA85F67583BE2707EB  ªtZ.ï..Ú.öu.¾'.ë
0x000000C0  8A9891529903460813560AE812005AEB  ...R..F..V.è..Zë
0x000000D0  D54F74E433C0CD13EBB8000000000000  ÕOtä3ÀÍ.ë¸......
0x000000E0  5633F656565250065351BE1000568BF4  V3öVVRP.SQ¾..V.ô
0x000000F0  5052B800428A5624CD135A588D641072  PR¸.B.V$Í.ZX.d.r
0x00000100  0A4075014280C702E2F7F85EC3EB7449  .@u.B.Ç.â÷ø^ÃëtI
0x00000110  6E76616C696420706172746974696F6E  nvalid partition
0x00000120  207461626C65004572726F72206C6F61   table.Error loa
0x00000130  64696E67206F7065726174696E672073  ding operating s
0x00000140  797374656D004D697373696E67206F70  ystem.Missing op
0x00000150  65726174696E672073797374656D0000  erating system..
0x00000160  00000000000000000000000000000000  ................
0x00000170  00000000000000000000000000000000  ................
0x00000180  0000008BFC1E578BF5CB000000000000  ....ü.W.õË......
0x00000190  00000000000000000000000000000000  ................
0x000001A0  00000000000000000000000000000000  ................
0x000001B0  0000000000000000B78DB78D00008001  ........·.·.....
0x000001C0  010007FEFFFF3F000000B162A9030000  ...þ..?...±b©...
0x000001D0  C1FF07FEFFFFF062A903D127F80E00FE  Á..þ..ðb©.Ñ'ø..þ
0x000001E0  FFFF07FEFFFFC18AA112CCF2340C00FE  ...þ..Á.¡.Ìò4..þ
0x000001F0  FFFF0FFEFFFF8D7DD61E34F709CA55AA  ...þ...}Ö.4÷.ÊUª

---------------------------[ MBR ]----------------------------

MBR_CODE        : Unknown MBR Code
MD5             : FDA6AF8E884C552F21FCF497D9F7F706
SHA1            : CD49696A29D7B212EEC5FFFECDC3E37893586D2C
PARTITIONS      : 4
DISK_SIGNATURE  : B78DB78D
SIGNATURE_ID    : AA55h

-----------------------[ PARTITION 1 ]------------------------

BOOTABLE        : YES
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 29.29 Go
STARTING_SECTOR : 63
ENDING_SECTOR   : 61432560
TOTAL_SECTORS   : 61432497

-----------------------[ PARTITION 2 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 119 Go
STARTING_SECTOR : 61432560
ENDING_SECTOR   : 312576705
TOTAL_SECTORS   : 251144145

-----------------------[ PARTITION 3 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 97.65 Go
STARTING_SECTOR : 312576705
ENDING_SECTOR   : 517373325
TOTAL_SECTORS   : 204796620

-----------------------[ PARTITION 4 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x0F ( Extended [LBA] )
PARTITION_SIZE  : 1.58 To
STARTING_SECTOR : 517373325
ENDING_SECTOR   : 3907024065
TOTAL_SECTORS   : 3389650740

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #10 on: March 29, 2012, 09:45:31 PM »
Thanks! That is a relief.

What causes a problem like aswMBR to report unknown MBR code? Just a flipped bit?

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #11 on: March 30, 2012, 05:46:16 PM »
It looks like an extra character at the end that is causing this

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #12 on: April 01, 2012, 09:41:03 PM »
I've fixed the MBR and deleted the TDSS filesystem.

This is the config file from the TDSS filesystem that was moved to quarantine. Is there anything there hints as to which rootkit was installed?

Code: [Select]
[main]
version=0.03
aid=30002
sid=0
rnd=1078145449
knt=1291913751
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=https://86b6b96b.com/;https://lkaturl11.com/;https://kangojjm1.com/;https://lkaturl71.com/;https://9669b6b96b.com/
wsrv=http://sk0lewcho.com/;http://jikdoout0.com/;http://swltch0o.com/;http://switch18.com/;http://rammjyuke.com/
psrv=http://crj71ki813ck.com/
version=0.15
bsh=aa4c66d70ed847a791cc5a3cacb7cccb6d5acd55
delay=7200
csrv=http://lkckclckli1i.com/

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28899
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #13 on: April 01, 2012, 09:48:40 PM »
Not as to the variant - but it does show the websites that it was to redirect you to

Offline zapster

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Unknown MBR code
« Reply #14 on: April 01, 2012, 09:57:33 PM »
Could those be domains that the rootkit was transmitting private data to or are they just used for browser redirection?

Pretty clever code which ever it was.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now