14 DAY TRIAL // Security researchers from Vietnamese company Bkav have come across an interesting new virus that protects itself against antiviruses by freezing the hard disk.
Once it infects a device, the virus creates a sort of a restore point. All the modifications made on the system by the user – including editing documents, copying files, and downloading data from the Web – will be reset. All the newly copied files are erased.
The threat also changes the icon of the hard drive.
Various executable modules are dropped. Each of these modules serves a different purpose.
For instance, the Wininite module is designed to communicate with two command and control servers. One is located in China and one in the United States.
Another module, DiskFlt, is responsible for freezing the hard disk. To do this, the malware component creates a device that controls the reading and wiring of data on the disk.
“DiskFlt also creates a cache data area. When user has data reading/writing operations on disk, DiskFlt will create a copy of that data area and put it on the cache area. After this point, every reading/writing operation will be redirected to the cache area, which makes the user unable to change the data of the original disk,” Bkav experts noted.
PassThru is the network driver module that blocks or redirects certain websites, and Black.dll is the component that helps the virus propagate.
“Obviously, this virus can be considered a rootkit although it has quite a special self-protection mechanism. Instead of preventing counteractions to modules of the virus like normal rootkit, this new type prevents changes to the entire disk,” experts added.
In case your computer becomes infected with this virus, you can clean it with a special removal tool released by Bkav.