PDA

View Full Version : nuclab rootkit



Janno
2006-09-20, 19:26
There is a virus that Trend finds as TSPY_GOLDUN.GEN. It cannot be cleaned or quarantined...just identified. It launches a service from the nuclab.sys file in Windows. The service runs stealth and is running in Safe mode.

In my instance, it came with a file named nuclabdll.dll also in the Windows directory. In SpyBot it shows as being in system.ini and it cannot be "not started" using the SpyBot software (it just adds itself back in). Even tea timer cannot stop it.

After killing it, there is still residue in the registry that I can't get rid of (lists as LegacyDriver and in service list).

Hopefully you can put this in your detection list and find a way to kill it off.

One more thing: When the system boots up, I see something that flashes across the screen that seems to have "Loading" and the letters PPR in it. However, it moves to quickly to determine if this is part of the BIOS or something else. This is a Dell Optiplex.

md usa spybot fan
2006-09-20, 20:15
There is a related thread here:
system.ini explained?
http://forums.spybot.info/showthread.php?t=7487

Janno
2006-09-20, 20:32
I was just pointing out here a malware that I discovered and eradicated. SpyBot SD 1.4 had not located it and I thought it might be of interest to the developers.

I now understand that this is not the proper forum if I do not have all the scan logs from my cleanup and I apologize for posting here.:lip:

md usa spybot fan
2006-09-20, 20:40
I was just pointing out here a malware that I discovered and eradicated. SpyBot SD 1.4 had not located it and I thought it might be of interest to the developers.
That is the proper use of this forum.