 |
||
Does Rollback Rx prevent Safesys virus ?
|
||
|
|||||||
This is a discussion on Does Rollback Rx prevent Safesys virus ? within the RollBack Rx forums, part of the Disaster Recovery Programs category; English isn't my mother tongue. Please sympathize for my poor English. Please read some brief information about Safesys virus: "The ...
 |
|
|
LinkBack | Thread Tools | Display Modes |
06-14-2009, 05:54 PM
|
|||
|
|||
Does Rollback Rx prevent Safesys virus ?
English isn't my mother tongue. Please sympathize for my poor English.
Please read some brief information about Safesys virus: "The worm is called W32.SafeSys.Worm and attacks a particular program called Deep Freeze. Deepfreeze is a computer protection utility that prevents malicious code from writing to the hard drive itself. Any malicious code is written to a memory buffer which then gets erased upon reboot. The original hard drive data is untouched and can simply be reloaded during bootup. The W32.SafeSys.Worm bypasses the Deep Freeze method and writes data to the biffer, which then enables irect writing to the hard drive sectors. Thus allowing full access to the PC's hard drive." Although I have searched this forum and found that Rollback Rx could protect MBR, I still have two questions: 1. Can Safesys virus damage Rollback Rx's MBR ? 2. Does Rollback rx recover my clean system successfully after Safesys infection ? 
|
|
06-15-2009, 08:03 AM
|
||||
|
||||
|
Quote:
Quote:
Quote:
Post your results here, if you find out anything. Quote:
We do not have a difinitive answer on your specific worm, because there is really no way for us to test this out. Please (anyone) let us know if you know how to do this, and can duplicate this worm bypassing security with Drive Vaccine or Rollback Rx. 
Last edited by Nick10; 06-15-2009 at 08:23 AM.
|
|
06-15-2009, 01:19 PM
|
|||
|
|||
|
Looking at this thread here, it seems as though this worm may well be a hoax in order to promote software.
I'd be happy to try it out on a test PC but I suspect the hardest bit might be actually finding it to test .Graham
|
|
06-16-2009, 07:36 AM
|
|||
|
|||
|
This is the Safesys virus sample, password: safesys
Hi Nick10 and everyone
I have uploaded this virus sample to the Internet. Please choose 1 of these following links to download the virus sample and test: Hotfile.com: One click file hosting RapidShare: Easy Filehosting MD5: D545356E2015A610354E42D7A8C8E62D Password:Safesys I also sent this virus sample to Customer Support. If you want to test this virus, please test it in virtual machines like VMWare I suggest some steps to test this virus 1. Update your antivirus 1. Take a snapshot of clean system for all drivers 1. Extract all files in safesys.rar and run all *.exe 3. Scan your computer with your antivirus. If there is any notification appears like: Detect Virus W32.Safesys.worm ...., please rollback to the clean snapshot 4. Scan your computer again to make sure the virus has gone. 5. If Rollback Rx can't recover your system, it's time to ... repair MBR of the drivers and use some antivirus on bootable CD to disinfect this virus. I hope that number 5. would not happen doquan0
|
|
06-16-2009, 02:49 PM
|
|||
|
|||
|
Quote:
 . I've tried this out on RollBack v7.2.1 and v9.0 (build 2694141964). The system crashes with a blue screen error when you run the executable but RollBack survives ok and there is no sign of the virus when the machine reboots so it may well just be targeted at DeepFreeze and can't install with RB. NOD32 picked it up but thought it was Win32/Adware.Cinmus. Graham
|
|
08-31-2010, 09:14 PM
|
|||
|
|||
|
It seem that RollBack RX can not stand alone in protecting your PC.
It may protect your system from damage by human error, but nof from virus like safesys... Quote:
Then I executed all files in the rar file, then I rebooted. I was surprised that my Kaspersky report that it detected the safesys process in 4 places. 3 in each partitions, and 1 in C:\Program FIles\Common Files\. I had set my RollBack to do scedule task on restart before this test. And my Kaspersky failed to desinfect my PC. I roll back to previous snapshot that I had taken, the same happen, Kaspersky detect those viri. At last, I roll back to base line, snapshot that taken when rollback installed, I found that safesys still exist... For solution, I turned my kaspersky off, then I installed Malwarebyte antimalware, I did a full scan, so my kaspersky could work properly. Then I continued with full scanning by kaspersky, as the result, my PC is clean like before now.... So, I advice you not to use Rollback without any Antivirus. When you use kaspersky or other adequate antivirus, every time you execute safesys file, they will stop and prevent your computer form damage caused by that virus....
|
|
09-01-2010, 04:41 AM
|
|||
|
|||
|
Quote:
|
|
09-01-2010, 05:39 PM
|
|||
|
|||
|
Hi frozen.bit and welcome to the forum
.Quote:
.The interesting thing to me was how our results differed and so I thought I'd repeat the test to see if I'd missed something. I wiped a hard drive and installed a fresh copy of Windows 7 onto it. Apart from a few drivers, the only software I installed was NOD32, Anti-MalwareBytes, WinRar and RollBack v9.1. I took a snapshot before unpacking SafeSys and then disabled NOD32. I ran the executables in the SafeSys package and then scanned with Anti-MalwareBytes. The scan came up with 132 infections which were mostly in the registry. I didn't clean any of the infections and so I then restored using RollBack to the previous snapshot I'd taken. On rebooting, NOD32 picked up and quarantined an infected autorun.inf file which was on my D: drive. My D: drive wasn't protected by RB and so hadn't been restored. I did another scan of the C: drive with Anti-MalwareBytes and it didn't find any infections. I then did a further scan of all partitions with NOD32 and it picked up another instance of SafeSys.exe on the unprotected D: drive. So, whilst I still wouldn't recommend RB to replace antivirus software, it does seem to have been able to clean up after SafeSys which does look as though it was targeted at software which stored its changes in memory. I just don't understand why your experience was different unless I'm missing something here. Always possible .Did you have all partitions protected by RB and how many physical drives do you have installed? Graham
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
