Save Safeboot?
There was a new run of the e-mail virus Bagle this week. W32/Bagle.fb@MM, to be more precise.
While reversing it with OllyDbg (in a virtual machine VMware), I discovered that this virus employs a new trick: it deletes the registry key HKLM\System\CurrentControlSet\Control\Safeboot.
Deleting this key prevents you from booting Windows in Safe Mode. You enter Safe Mode by pressing key F8 during the display of the Windows splash screen when (re)booting. While the computer is in Safe Mode, it will have reduced functionality, but it is easier to isolate problems because many non-core components are disabled. Many malware programs won't start when running in Safe Mode, thus allowing you to attempt removal of the programs.
Despite the deletion of the Safeboot key, the Windows Advanced Options Menu will still appear, and you'll be able to select Safe boot. But you'll soon be presented with a BSOD, displaying the STOP 0×0000007B error. According to this Microsoft KB article, a possible reason is: "Information in the Windows XP registry (information related to how the device drivers load during startup) is corrupted".
That's correct, it's highly corrupted, it has been wiped clean by this new Bagle virus!
[...] « Save Safeboot? [...]
Pingback by Didier Stevens » Blog Archive » Restoring Safeboot — Monday 26 June 2006 @ 20:02
[...] Take the W32/Bagle.fb virus. It deletes the SafeBoot key, only a couple of assembly lines are needed to wipe your Safe Mode configuration: [...]
Pingback by Didier Stevens » Cleaning up after an infection, and then? — Saturday 12 August 2006 @ 15:22
I have a weird problem.. I have the Look2Me Virus (guard.tmp) and my computer refuses to go into safe mode.. so I assume that my safeboot has been deleted. I tried system restore but it will only allow me to restore to points I’ve made today and will not allow me to go back any further. Do you have any suggestions?
Thanks!
Comment by Kindel — Saturday 4 November 2006 @ 21:25
I recently got a anti-virus program on my computer, i forget the name of it but, after installing it, it frezzes all the time on me. I only just found out that amlware is a bad thing and i havnt a clue what to do, could you help me. thanks,
regards Andrew
Comment by Andrew — Monday 13 November 2006 @ 9:48
I have a Trojan-Spy.Win32@mx virus. This virus has constantly been changing my home page and keeps suggesting that I buy a Malware Wiped program, what should I do?
Comment by Nam Tran — Wednesday 7 March 2007 @ 4:46
The best thing you can do is post your problem on a high-volume
malware removal forum, like http://forums.spywareinfo.com/
Comment by Didier Stevens — Wednesday 7 March 2007 @ 17:52
[...] includes pictures: How to fully de-gunk a PC of CrapwareJune 22, 2006: According to Didier Stevens, some malware can disable Safe Mode. Ugh. February 9, 2007: Didier Stevens released a .REG file that can be used to restore Safe Mode. [...]
Pingback by Spyware Remove Guide » Blog Archive » Removing Spyware — Monday 25 June 2007 @ 10:40