Home

Download

Order

Support

?

Medichi tries to download fake Spyware Remover supposedly to resolve the problem.
Of course, Medichi will not delete himself.
The false antispyware software will ask the user to pay money for the remove malware.

Immediately after executing Medichi turns off Windows File Protection service to replace the standard Windows beep.sys driver.
Beep.sys is used only to make simple "beep" sounds even if no sound card is installed.
Windows works absolutely correct without beep.sys driver.
The standard beep.sys is 4224 bytes in size.
The infected beep.sys is about 37 Kbytes.
The copy of the beep.sys, located in the C:\WINDOWS\system32\dllcache is replaced too.
Windows File Protection Service starts again after reboot.
Medichi restarts infected computer and takes the control of it by using the moment when Windows automatically starts the "beep.sys".

The rootkit-beep installs a notify routine for detecting the opening of each process.
Medichi waits for notification of "winlogon.exe" process being loaded.
This is required for 2 reasons:
1) Hiding the changeof the registry startup keys under winlogon.exe.
2) Making sure that the "Software" registry hive is already loaded.
We can see on the disassemled listing of the Medichi driver here, that rootkit installs "medichi.exe" and "medichi2.exe" to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
The executable files are used to notify users about spyware attack and to download new versions.

It gives us an idea that the rootkit works from the driver loaded before Windows logon process.

The Microsoft Signature Verifier tool (sigverif.exe) can easily check for the files signed by Microsoft digital sign.
Beep.sys was detected as well. It isn't encrypted and the signal words "medichi", "murka.dat" can be easily read.

We know that Medichi rootkit was written by Russian speaking virus writers.
Murka is a one of the favorite cat names in Russian.
The text "bljaha muaha zainalo vse!" is actually swear words.