Medichi.exe, murka.dat, medichi2.exe rootkit under a microscope
Medichi rootkit is
spread by e-mail or via infected web sites using Internet Explorer
Medichi uses several rootkit
methods at the same time to deep hide the rootkit and make removal
Most of antivirus and anti-spyware programs can detect part of the Medichi rootkit
but it usually comes back immediately after reboot.
A user of an infected computer can be surprised by the strange hard
disk activity. Suddenly the file copy dialog will be displayed on the
Medichi copies a large number
files of the Windows system folder to the temporary folder and after that
immediately deletes those
In addition Medichi shows
Medichi tries to download fake Spyware Remover supposedly to resolve
Of course, Medichi will not delete himself.
The false antispyware software will ask the user to pay money for the remove malware.
How Medichi rootkit works?
Immediately after executing Medichi
turns off Windows File Protection service to replace
the standard Windows beep.sys driver.
Beep.sys is used only to make simple "beep" sounds even if no sound card
Windows works absolutely correct without beep.sys driver.
The standard beep.sys is 4224 bytes in size.
The infected beep.sys is about 37 Kbytes.
The copy of the beep.sys, located in the C:\WINDOWS\system32\dllcache is
Windows File Protection Service starts again after reboot.
Medichi restarts infected
computer and takes the control of it by using the moment when Windows
automatically starts the "beep.sys".
The rootkit-beep installs a
notify routine for detecting the opening of
Also, it tries to turn off some firewall and antiviral tools.
waits for notification of "winlogon.exe"
process being loaded.
This is required for 2 reasons:
1) Hiding the changeof the registry
startup keys under winlogon.exe.
2) Making sure that the "Software"
registry hive is already loaded.
We can see on the disassemled listing of the Medichi driver here, that
rootkit installs "medichi.exe" and "medichi2.exe" to the
The executable files are used to notify users about spyware attack
and to download new versions.
"Murka.dat" is inserted into the "Appinit_dlls" registry value.
Windows automatically loads DLLs listed in the "Appinit_dlls" into the memory of each
Murka.dat is a user-mode rootkit to hide rootkit files on the disk.
Infected beep.sys creates the "medichi.exe",
"medichi2.exe", "murka.dat" in the Windows folder, "user32.dat" in the Windows\System32
On the registry monitor listing we can see that the "winlogon.exe"
creates the registry values before the moment when the process is fully
On the picture we can see that "winlogon.exe" did not get
control when it changed the registry.
It gives us an idea that
the rootkit works from the driver loaded before Windows logon process.
The Microsoft Signature Verifier
tool (sigverif.exe) can easily check for the files signed by
Microsoft digital sign.
Beep.sys was detected as well.
It isn't encrypted and the signal words "medichi", "murka.dat" can be
We know that Medichi
rootkit was written by Russian speaking virus writers.
Murka is a one of the favorite cat names in Russian.
The text "bljaha muaha zainalo vse!" is actually swear words.