FireEye Malware Intelligence Lab

Note: These instructions have only been tested for Windows XP and Windows 2000. These instructions may not work for other Windows versions.

Step 1: Backup the system (recommended)

Windows XP

For Windows XP users, we strongly recommend creating a System Restore point before starting this disinfection process.  System Restore can help users revert back all the changes to the system in case something goes wrong (such as a random power loss). For more information on System Restore, please refer to http://support.microsoft.com/kb/306084.

If system restore is not yet enabled on your system, please follow the instructions here http://support.microsoft.com/kb/310405

Windows 2k (Professional and AS)

Unfortunately, the System Restore feature is not available in Windows 2000, so users must back up all of their important files using other tools before continuing the disinfection process.

Step 2: Identify and Remove the Rootkit Driver

Step 2-1: Start the system in Safe Mode

When the system starts in Windows' "Normal" mode, Srizbi uses a kernel level rootkit to hide its files and registry entries. For this reason, we need to start the infected machine in Safe Mode to see the changes made by Srizbi. Information on how to start Windows in Safe Mode can be found here http://support.microsoft.com/kb/315222.

Some recent variants have been seen which can also hide their files in Safe Mode, but most do not.

Step 2-2: Verify Srizbi Infection

Once the infected system is rebooted in Safe Mode, we can try to find some files created by Srizbi. One particular file to look for is a batch (.bat) file, having content like the following:

:abc

del "C:\D7641A4046742F3294AD4600B15C5E20.exe"

if exist "C:\D7641A4046742F3294AD4600B15C5E20.exe" goto abc

rmdir "C:\"

del "C:\DOCUME~1\worm\LOCALS~1\Temp\_it.bat"

Of the hundred+ samples analyzed in FireEye labs, the file that Srizbi executed was in the root directory - C:\. A unique feature of this batch file is the string ":abc" at the beginning of the file. Search for such a batch file on the system disk.

You'll want to use the search function on Windows to accomplish this.

a)     Make sure the "Show Hidden Files" option is enabled. If not, follow these steps to turn it on:

            My Computer --> Tools --> Folder Options --> View

            Check the 'Show Hidden Files and folder' option.

 Uncheck the 'Hide protected operating system files' and 'Hide extensions for known types' boxes.

       Press Ok.

b)    In the "File Name" box, enter *.bat

c)     In the "A word or phrase in the file" box (just below the name box), enter :abc

d)    You will also need to tell Windows to search for hidden files and folders, by going to 'More Advanced Options' in the lower part of the Search bar. Click it and check the "Search the hidden files and folders option".

e)     Press the "Search" button and wait to see if system can find any such files. Normally this file only has 3 or 4 small characters in its name, similar to:

 _it.bat

svs.bat

If the search finds any such files on the Windows system drive, the system is almost certainly infected by Srizbi for which our removal instructions below will help.

NOTE: If the search fails to find such files, the system may be infected by another Srizbi variant which can hide its files even under Safe Mode. In this case, the user should boot from some other bootable media (like Knoppix) that can read the hard drive directly, as at that time the infected OS will not be able to hide the Srizbi infection. A later article will describe this in more detail.

Step 2-3: Removing the Infection

 After the infection is verified, a user can follow one of the following two approaches to disinfect the system.

Approach 1. System Restore (Only available for Windows XP)

Right click on the .bat file and try to find out its creation date. If you have a System Restore point prior to this creation date, you can choose to restore the system from that. For more information on System Restore one might refer to http://support.microsoft.com/kb/306084.

Approach 2. Manual Disinfection (Applies to both Windows XP and 2000)

The idea here is to locate a driver (.sys) and an executable (.exe) which was created just before or after the creation of this .bat file (within a minute). In Windows we can search based on the creation dates.

a) Type *.sys, *.exe as the file name for which to search.

b) Go to the "When was it modified" option in the search bar. Check 'specify dates', Select "Created Date". Now the type the same date when that 'bat' file was created, both in the “to” and “from” dates.

c) Press 'Search'. If one or more .sys or .exe files are found , check the creation date for each file. Files which were created just before the .bat are likely to be Srizbi kernel level drivers and their backup binaries. For further confirmation, the user can submit these .sys and .exe files to their AV, or better yet to many AV vendors at once at http://www.virustotal.com.  Of course, you will need to be online to do this, so you may want to try to copy the files off by a USB stick or something similar.

Some of the random names for these files are like this:

vtprwlro.sys

jstxhtwt.sys

akjrjbj.exe

AKJBJRJR.exe

Most of the files seen by us have a size less than 200 KB.

d) Delete these .sys and .exe files, then restart Windows in Normal mode.

e) After you restart, try to search for the .bat again with the same criteria as in Step 2-2. If the search finds the file successfully, it means that the rootkit is uninstalled successfully. This bat is harmless now; you can simply remove it.  If it does not appear, but it did in same mode, you may to format and reinstall Windows to be sure you are not infected.

Atif Mushtaq, Haroon W Malik @ FireEye Malware Intelligence Labs

Comments/Questions to research@fireeye.com