Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: A Second MSRT Release in April

26 Apr 2011   #1

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
A Second MSRT Release in April

In continuation of our support for the takedown activities on the Win32/Afcore botnet, we are releasing a second edition of MSRT in April. This edition includes variants of Afcore released by the criminals behind it at approximately the same time as the previous edition of MSRT.

A Guy

My System SpecsSystem Spec

27 Apr 2011   #2

Vista Ult SP2/Win 7 Ult SP1/Win 8.1 Pro w/MC (all x64)

I was just going to post this as a new thread - it's an extension of the above...

Microsoft patches TDL4 rootkit on 64-bit (& 32-bit) systems

Note from me: There is an extra version of April's Malicious Software Removal Tools (mrt.exe), along with miscellaneous security updates, some optional available on Windows/Microsoft Update and apply to all systems XP, Vista and Windows 7, both 32 and 64-bit).

Modifications made as part of a Windows update released by Microsoft this week effectively kill the notorious TDL4 rootkit on 64-bit Windows Vista and 7.

Since 64-bit Windows only accepts digitally-signed drivers, there are very few rootkits that manage to infect such systems.

One of them is TDL4, the latest version from the TDSS family of rootkits. It installs itself in the master boot record, making it possible to modify the operating system since the first moment it starts.

On 64-bit systems, it leverages a BCD (Boot Configuration Data) option called BcdOSLoaderBoolean_WinPEMode to disable the code integrity checks in the OS.

On Tuesday, Microsoft released KB2506014, an update which according to the corresponding advisory "addresses a method by which unsigned drivers could be loaded by winload.exe."

Security researchers from ESET note that this update removes the BcdOSLoaderBoolean_WinPEMode option abused by the TDL4 rootkit. In addition, the update intentionally modifies the size of a file called kdcom.dll by adding a KdReserved0 exported symbol.

Under normal circumstances TDL4 checks the size of this file's export directory and replace it with its own malicious version. According to the ESET researchers the change made to kdcom.dll serves no other purpose than to prevent the rootkit from replacing it.

They also point that users of 32-bit Windows won't benefit from this update unless they install it manually, because TDL4 disables the Windows Update service on such systems.

"Although the patch helps with this particular case it doesn’t solve the problem in general. There are other ways of penetrating into kernel-mode address space on x64 operating systems, for instance, as in the case of the Chinese bootkit which is detected as NSIS/TrojanClicker.Agent.BJ," they write.
Softpedia Article
My System SpecsSystem Spec
27 Apr 2011   #3

Windows 7 Ultimate x64

Thanks for the info... I will just put it to work here in my school (I'm teacher)
My System SpecsSystem Spec

27 Apr 2011   #4

Vista Ult SP2/Win 7 Ult SP1/Win 8.1 Pro w/MC (all x64)

You're welcome.
My System SpecsSystem Spec

 A Second MSRT Release in April

Thread Tools

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 04:03 PM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33