From: "Art" <
[email protected]>
|
| I've been doing some more work with that Rootkit related thing I
| mentioned in a different thread here recently. You might remember
| that Backdoor in a MBR issue. I've now got a second IDE hard drive
| with the Trojanized MBR which I can check in DOS now as well. It turns
| out that KAVDOS32 does alert in plain DOS but not in Windows (I'm
| using Wind 2K). I once saw a error message produced by Windows that
| complained that "something" was trying to access the drive directly.
| This happened when I tried to force KAVDOS32 to check the MBR via
| the command line switch /P- ... it doesn't seem to try otherwise ...
| or it doesn't complain that it can't do it ... not sure exactly which.
| So I inadvertenly have stumbled on a problem with KAVDOS32, it seems,
| when used in Windows on the NT based OS. It doesn't look so far like
| it checks boot sectors.
|
| Also, in this case of the Trojanized boot sector, none of the av used
| in Multi-AV alert. So far, just a GUI (Wndows) version of KAV does. I
| have a hunch that some other Windows versions of av might alert since
| they alert on the image file ... AVG, Bit Defender, NOD32, Norman,
| NAV, UNA and VBA32 ... all alert, at least heuristically on the image
| file. Oddly, eScan which uses the Kaspersky engine does not alert on
| the Trojanized MBR sector. I'm tempted to try Windows versions of
| NOD32 and Bit Defender to see if at least one or two more av might
| detect the Trojanized MBR ... and not just KAV. But I'm not about
| to install a Windows version of NAV or McAfee. Ugh!
|
| Art
|
http://home.epix.net/~artnpeg
Thanx for that infpo Art. Based upon it, I have added the /P- switch parameter to the
KAVClean.bat file used when scanning after booting with a DOS Boot Disk or a DOS Boot Disk
using NTFS4DOS.
