I got a call recently from a friend on the other side of the country. His friend runs a computer shop in a rural area. He has been dealing with this malicious code for at least 2 weeks and at one point it shut down his entire network, except his Ubuntu machine from what I understand.
He has been researching what this thing does, and I have tried looking up these symptoms on the internet but am unable to find anything that resembles its behavior, the only thing I see it sort of resembles is the Conficker virus, but it can do much more than Conficker.
I'm no pro in this field, as I tend to be more of a nice programmer than a malicious one, and don't really keep up with this sort of stuff ><
But at this point I'm not sure what to call it. It does seem to have trojan like behaviors because the server side seems to download random programs off the net and send them back to whoever is controlling the client, but it also resides in the MBR and does not seem to need a host, except for maybe the windows operating system itself.
It will create several user accounts and assign them all to admin. It will also place the current user onto a virtual drive it creates, so anything the computer does - it thinks it is on the real C: drive, when, in fact, it's on a virtual drive. This virus will move the original MBR to track 3 and install its own boot record at track 0. It was also mentioned that it installs a "wrapper" OS for the virus to maneuver around in. This all happens within the first 5 minutes of a cold boot.
It restricts certain files, and when trying to access files this "thing" will sometimes unleash many more viruses in attempt to stop the user from going any further. It seems to be a gateway for the person controlling this thing to download programs and send them back to the person controlling the client side of this.
Virus scans have been run by several higher end programs like Norton and even open source ones like Kaspersky. Nothing seems to find this virus.
It will also, if you are wireless, make your laptop look like a hotspot to other wireless devices in the area, and when other devices connect to the infected laptop the virus is transmitted to these devices. This apparently had also happened.
When attempting to rid the virus out of the MBR, the code apparently screws up the MBR making rendering the booting ability of the harddrive useless when trying to remove that particular section of code. This person who I've been talking to also has some sort of disc for reformatting from the Department of Defense, and it is a newer disc, but it cannot rid the HD of this virus. I'm thinking probably because it doesn't touch the MBR, but I don't know for sure because I've never had my hands on something like that before.
The person I've been talking to who has this virus has also said that he sees this signature at random places in the code he's been looking at. I am not sure if it is a signature, but if it is there are no credible search results for this signature, which is "$chicago$" - including the double quotes.
This virus also prevents a user from shutting down specific ports, as I've suggested to turn off any open ports not in use to try and tighten down security at least somewhat on the infected machines.
Once this thing is done with what it needed to do, it removes itself and upon reboot - it is instantiated once again thanks to the MBR.
I have recommended that he try to boot into a virtual environment and overwrite the MBR on the HD if possible. He has mentioned he tried to do something similar to this approach and was unsuccessful for one reason or another.
Does anyone know of anything out there that has this behavior right now?
The guy I've talked to said that the closest resemblance he could find with this virus is another one called "Terror". I've found no documentation on this virus, but I have found it exists - at least in theory. Wiki comes up with a dead page and some other thing I found on the net acknowledges its existence and then (of course) provides a link to download Norton.
If anyone has any ideas or knowledge of something like this - please let me know
I noticed in the readme thread of this section of the site that there are some things to download and try - I will have him do this and report back what the thread asks of.
I'm just curious tho if anyone knew about this, if it's something that has been out for awhile or if it's something new - because if it's new, from everything that was described to me, this is one mean piece of code as any attempt to remove it has failed and it's EXTREMELY contagious to any windows based OS.
thanks for the help :D