Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

January 18th, 2011

I swear, I didn’t write this rootkit

As of January 19, we have lived 25 years with  malware. The first ever virus for the personal computer was written by two Pakistan brothers, Basit and Amjad Farooq Alvi. ©Brain was the name of this virus, it infected the MS-DOS FAT boot sector and it was harmless. This MBR rootkit just promoted their company with following text:

Welcome to the Dungeon © 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...

Their ©Brain rootkit included two things missing in current malware. First of all, it was harmless and secondly, they also provided their names and contact information.

I have made a lot of malware detections while working in the Virus Lab. Most people are happy when their avast! antivirus catches a new threat. But not everyone thinks so. There are a few people that, when they get a “virus detected” warning, even disagree and send us a “false positive alert”. These often come with comments such as “Actually, you don’t know what you’re doing” or “this is just patch for some program”.

A few days ago, my colleague that handles false positive alerts noticed a funny thing for me in the file for “banker ring 0” malware, a very popular rootkit in Brazil. Let’s see our FP report:

::23C9529678F7D18D0D9111C176B5C54CBDD53A3A99D6B846D9D002F7C6062674:
Detected by 10122900-
Dates 101230-
_points=19
_samples=19
blocks_o=100
filetype=win 32bit exe-dll
flen=7168
fnames.000=19x trs.sys
fp_emails=1
oripath=[Chest] C:\Windows\SysWOW64\drivers\trs.sys
pe_code_rank=3
pe_native=1
peid_packer=Custom packer
rpt_av5=Win32:Banker-HCQ [Rtk]

Nothing special for you, but it is for me. I’m Michal Trs … I swear, I didn’t write this rootkit :-).

Categories: lab, Virus Lab Tags: ,
  1. January 18th, 2011 at 14:01 | #1

    Haha, You Rascal! you! ;-) (JK)

  2. January 18th, 2011 at 14:03 | #2

    @Omid Farhang
    Shame on me :-)

  3. ha14
    January 18th, 2011 at 18:29 | #3

    Playing with RooTKit TO Say HELLO

  4. January 21st, 2011 at 05:07 | #4

    Well sometimes they are deliberately the developer name for business strategy or some meaning behind the scene….

Comments are closed.