Threat Research

I swear, I didn’t write this rootkit

Threat Intelligence Team, 18 January 2011

I swear, I didn’t write this rootkit

As of January 19, we have lived 25 years with malware. The first ever virus for the personal computer was written by two Pakistan brothers, Basit and Amjad Farooq Alvi. ©Brain was the name of this virus, it infected the MS-DOS FAT boot sector and it was harmless. This MBR rootkit just promoted their company with following text:

Welcome to the Dungeon © 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...

Their ©Brain rootkit included two things missing in current malware. First of all, it was harmless and secondly, they also provided their names and contact information.

I have made a lot of malware detections while working in the Virus Lab. Most people are happy when their avast! antivirus catches a new threat. But not everyone thinks so. There are a few people that, when they get a “virus detected” warning, even disagree and send us a “false positive alert”. These often come with comments such as “Actually, you don’t know what you’re doing” or “this is just patch for some program”.

A few days ago, my colleague that handles false positive alerts noticed a funny thing for me in the file for “banker ring 0” malware, a very popular rootkit in Brazil. Let’s see our FP report:

Detected by 10122900-
Dates 101230-
filetype=win 32bit exe-dll
fnames.000=19x trs.sys
oripath=[Chest] C:\Windows\SysWOW64\drivers\trs.sys
peid_packer=Custom packer
rpt_av5=Win32:Banker-HCQ [Rtk]

Nothing special for you, but it is for me. I’m Michal Trs … I swear, I didn’t write this rootkit :-).