There is a new virus that protects itself against antiviruses by freezing the hard disk, researchers said.
Once it infects a device, the virus creates a restore point. All the modifications made on the system by the user, including editing documents, copying files, and downloading data from the Web, will reset, said researchers from Vietnamese company Bkav. All the newly copied files end up erased.
The threat also changes the icon of the hard drive. Executable modules end up dropped. Each of these modules serves a different purpose. For instance, the Wininite module communicates with two command and control servers. One is in China and one in the United States.
Another module, DiskFlt, is responsible for freezing the hard disk. To do this, the malware component creates a device that controls the reading and wiring of data on the disk.
“DiskFlt also creates a cache data area. When the user has data reading/writing operations on disk, DiskFlt will create a copy of that data area and put it on the cache area. After this point, every reading/writing operation will be redirected to the cache area, which makes the user unable to change the data of the original disk,” Bkav said in a blog.
PassThru is the network driver module that blocks or redirects certain websites, and Black.dll is the component that helps the virus propagate.
“Obviously, this virus can be considered a rootkit although it has quite a special self-protection mechanism. Instead of preventing counteractions to modules of the virus like normal rootkit, this new type prevents changes to the entire disk,” the researchers said.