How do I remove disorderstatus.ru virus? Prevent reinfection? Make sure there is no (BIOS) rootkit left?

Question

I have recently had two PCs infected with disorderstatus.ru / differentia.ru, by plugging an infected pendrive. From Google searches, it appears that it is a recent virus, or at least with recent spread.

PC1 has Win Vista, and PC2 has Win 8. Both have Avast, which detected the infections.

In PC1 (with partitions C for OS/programs and D for data), I recovered a previous Ghost image into partition C. Partition D was later scanned with Avast and reported clean.

In PC2 (again with partitions C for OS/programs and D for data), I reinstalled the OS.

My two pendrives (one infected and one... perhaps too) were reformatted to FAT16 and FAT32, in a Linux boot from CD.

I further have an external HD.

Is there a way to know for sure if the infection is gone forever?

My concern is due to the fact that there are BIOS rootkits, and perhaps other beasts around that are masters of disguise.

I would appreciate getting info specific to the infection I got, in addition to possibly generic comment which might apply.

Answer 1

Nuke from Orbit (TM)

Replace your non-hardware. Wipe and reinstall everything. That takes care of any software rootkits.

Use general good infosec hygiene to prevent reinfection. (E.g. install updates, only install from trusted sources, run antivirus. Air gap your network if you have to.)

(Hardware) rootkits: don't worry.

The short answer is: these tailor-made hardware rootkits are too expensive to waste on you or the general population.

Also: to defend from these type of attacks is ALSO very expensive and cumbersome. I recommend you spend your infosec budget elsewhere first.

General musings

Hardware rootkits are high-tech, nation state espionage, spy stuff.

They are valuable to the attacker. To continue working, they must be used sparingly. Each use of these has risk of detection for the attacker. Now this means: No shotgun style "hit everyone" attacks. But very specific, direct targeted attacks.

If you are a target valuable enough to justify using one of these things on you, then I'm assuming that you will have to replace your hardware as well.

If for example you are working in nuclear research. I'm thinking Stuxnet like attacks on Iran nuclear installations here. This probably isn't you.

Further reading:

• Wikipedia: Rootkit, section Firmware and hardware

Addendum: Non-tailor-made hardware rootkits.

• "WPBT" sounds scary. No idea if it can be subverted.
  Ars Technica: Lenovo used Windows anti-theft feature to install persistent crapware (Archived here.)
• There is a leaked hardware rootkit from the Hacking Team hack. It's out in the public now. So this could be used by anyone. And not just spy agencies. But: it requires physical access to the computer.
  Trend Micro: Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems (Archived here.)

Answer 2

I've looked for some info on malware you described. Looks like Avast should handle it with no problem. But just in case here are removal instructions.

To check your computers for rootkits I recommend you to use a nice free utility developed by Kaspersky lab called TDSSKiller. It detects and removes some widely spread rootkits and bootkits.

Also there is Kaspersky Virus Removal Tool. It detects and removes other types of malware.

Very useful tools, really saved me several times.

I'm sure that other vendors have similar tools, but I used only these. But I think no one can give you 100% sure that your computer is not infected with some very new or very rear malware.

Answer 3

I must agree that Kaspersky or similar anti-virus is a program that should be used first. However, don't forget the second option solution because the most of the latest viruses spreads in one pack with different components like browser hijackers, BHOs, etc. In this case, I would recommend you to try Malwarebytes. If you are not willing to install any software, use this alternative disorderstatus.ru removal guide.