Sep 17 2013
Recently, Bkav Honeypot system has detected a new type of virus which has one of a kind self-protection mechanism and causes many difficulties for antivirus software to implement the removal. That mechanism is to freeze your hard disk entirely.
Upon infection of this virus, every change you make to the computer like composing documents, installing new software, copying data to disk, downloading data from the Internet, etc. will be erased from hard disk after computer restarting. In addition, the hard disk’s icon will be replaced by the one below:
Fig. 1: Hard disk’s icon will be changed upon infecting
After infecting the computer, this freezing virus will create other executable modules to serve its functions and to protect itself.
Fig. 2: The virus’ modules
Among those modules, DiskFlt.sys is the one which is in charge of restoring the hard disk to the status when the computer gets infected. Thanks to this module, the virus can be “reborn” by itself after the computer restarting despite being removed before. DiskFlt creates a device attached to Disk Device to control the reading and writing of data on the disk.
DiskFlt also creates a cache data area. When user has data reading/writing operations on disk, DiskFlt will create a copy of that data area and put it on the cache area. After this point, every reading/writing operation will be redirected to the cache area, which makes the user unable to change the data of the original disk.
Obviously, this virus can be considered a rootkit although it has quite a special self-protection mechanism. Instead of preventing counteractions to modules of the virus like normal rootkit, this new type prevents changes to the entire disk.
If suspect being infected with this virus, you can use BkavRootFreezeRemover to remove it.
Tran Trung Nghia