Security
•  Greatis •  AppDatabase •  Utilities •  Delphi/CB •  Visual Basic • .NET •  just4fun
RegRun Security Suite
Not an antivirus. Detects and removes rootkits/malware/adware that your antivirus could not.
One-click purchase
RegRun NIVA Platinum - Rootkit Killer

NIVA+CD-ROM

More info:
Know more?
Screenshots

FAQ

On-line manual

Print PDF

Download trial
RegRun NIVA Platinum
Forums
Greatis Forum

NI Forum

Mickey Forum

Thank you!

International
Download Russian

Download Ukrainian

Join our localization team

Home Download Order Support   Newsletter Your shopping cart ?
Medichi.exe, murka.dat, medichi2.exe rootkit under a microscope


Medichi rootkit is spread by e-mail or via infected web sites using Internet Explorer Windows vulnerability.
Medichi uses several rootkit methods at the same time to deep hide the rootkit and make removal process harder.
Most of antivirus and anti-spyware programs can detect part of the Medichi rootkit but it usually comes back immediately after reboot.

Infection symptoms:
A user of an infected computer can be surprised by the strange hard disk activity. Suddenly the file copy dialog will be displayed on the screen.
Medichi copies a large number files of the Windows system folder to the temporary folder and after that immediately deletes those files.
In addition Medichi shows the warning:

Medichi tries to download fake Spyware Remover supposedly to resolve the problem.
Of course, Medichi will not delete himself.
The false antispyware software will ask the user to pay money for the remove malware.


How Medichi rootkit works?

Immediately after executing Medichi turns off Windows File Protection service to replace the standard Windows beep.sys driver.
Beep.sys is used only to make simple "beep" sounds even if no sound card is installed.
Windows works absolutely correct without beep.sys driver.
The standard beep.sys is 4224 bytes in size.
The infected beep.sys is about 37 Kbytes.
The copy of the beep.sys, located in the C:\WINDOWS\system32\dllcache is replaced too.
Windows File Protection Service starts again after reboot.
Medichi restarts infected computer and takes the control of it by using the moment when Windows automatically starts the "beep.sys".

The rootkit-beep installs a notify routine for detecting the opening of each process.
Medichi waits for notification of "winlogon.exe" process being loaded.
This is required for 2 reasons:
1) Hiding the changeof the registry startup keys under winlogon.exe.
2) Making sure that the "Software" registry hive is already loaded.
We can see on the disassemled listing of the Medichi driver here, that rootkit installs "medichi.exe" and "medichi2.exe" to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
The executable files are used to notify users about spyware attack and to download new versions.

Also, it tries to turn off some firewall and antiviral tools.
"Murka.dat" is inserted into the "Appinit_dlls" registry value.
Windows automatically loads  DLLs listed in the "Appinit_dlls" into the memory of each new process.
Murka.dat is a user-mode rootkit to hide rootkit files on the disk.
Infected beep.sys creates the "medichi.exe", "medichi2.exe", "murka.dat" in the Windows folder, "user32.dat" in the Windows\System32 folder.

On the registry monitor listing we can see that the "winlogon.exe" creates the registry values before the moment when the process is fully started.
On the picture we can see that "winlogon.exe" did not get control when it changed the registry.

It gives us an idea that the rootkit works from the driver loaded before Windows logon process.

The Microsoft Signature Verifier tool (sigverif.exe) can easily check for the files signed by Microsoft digital sign.
Beep.sys was detected as well. It isn't encrypted and the signal words "medichi", "murka.dat" can be easily read.

We know that Medichi rootkit was written by Russian speaking virus writers.
Murka is a one of the favorite cat names in Russian.
The text "bljaha muaha zainalo vse!" is actually swear words.



What's new?
December 15 2016

Released RegRun Security Suite 8.50.0.550
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 8.50.0.550 - free software for detecting and removing rootkits & malware.

November 28 2016

Released RegRun Security Suite 8.41.0.541
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 8.41.0.541 - free software for detecting and removing rootkits & malware.

November 1 2016

Released RegRun Security Suite 8.40.0.540
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 8.40.0.540 - free software for detecting and removing rootkits & malware.

October 12 2016

Released RegRun Security Suite 8.30.0.530
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 8.30.0.530 - free software for detecting and removing rootkits & malware.

September 1 2016

Released RegRun Security Suite 8.20.0.520
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 8.20.0.520 - free software for detecting and removing rootkits & malware.

July 8 2016

Released RegRun Security Suite 8.12.0.512
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 8.12.0.512 - free software for detecting and removing rootkits & malware.

April 7 2016

Released RegRun Security Suite 8.0.0.500
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 8.0.0.500 - free software for detecting and removing rootkits & malware.

March 29 2016

New! Edge Reset Button
Edge Reset Button is a free tool for resetting Microsoft Edge Browser.

March 14 2016

Released RegRun Security Suite 7.97.0.197
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 7.97.0.197 - free software for detecting and removing rootkits & malware.

February 3 2016

Released RegRun Security Suite 7.95.0.195
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 7.95.0.195 - free software for detecting and removing rootkits & malware.

December 16 2015

Released RegRun Security Suite 7.90.0.190
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 7.90.0.190 - free software for detecting and removing rootkits & malware.

November 25 2015

Released RegRun Security Suite 7.85.0.185
Full version is available for download.
Update is free for registered users

Released RegRun Reanimator 7.85.0.185 - free software for detecting and removing rootkits & malware.

September 10 2012

BootRescue - free software for Master BootRecord (MBR)/Volume Boot Record (VBR) backup/recovery.


All News


RegRun is able to remove TDL 4 rootkit (MBR infector) on the Windows 32 and 64 bit!


Released Shortcut Antivirus is a free of charge software for protecting against Microsoft LNK vulnerability.


Released Stuxnet Remover is a free of charge tool for Stuxnet/Tmphider rootkit removal


Added detection and removal of Stuxnet Rootkit(mrxnet.sys, mrxcls.sys).


Resolve "Google search redirect problem". Remove TDL3+ rootkit now!


How to resolve the "msls52.dll not found" problem.
New attack against UXTHEME.DLL...

How to resolve the "themed32.dll not found" problem...


Use RegRun Warrior for rootkit removal
Rootkit detection and removal takes 10 minutes with one computer reboot!


Be careful! The QVOD player installer may be a Trojan...


New! Examiner reveals hidden rootkits and infected system drivers!


New Porno banner Troan Oficla removal instructions


TDSS/Alureon removal instructions


Resolving problem with Google redirect MAX++/TDSS rootkit (win32k.sys:1, win3k.sys:2).


Video Lesson how to remove WinLocker Trojan

Malware Removal Lesson


Windows Explorer Redirection DLLS is a new dangerous Windows startup hole...


RegRun has been reviewed by 3d2f.com Software Directory: RegRun Security Suite is an excellent tool that will reliably protect your computer from a plethora of existing and emerging threats and will keep malware at bay.



Removing Medichi Rootkit


Removal of Noskrnl.exe and Noskrnl.sys Rootkit (Spooldr clone)


Removal Baidu rootkit (cnprov.sys)


Removal Spooldr(ecard.exe) rootkit


Fixing BSOD
in Winlogon Process


Removal Areses Trojan


Virus Feebs rootkit removal story


What's this? Rthdcpl.exe - Illegal System DLL Relocation...


Warning! Rootkit Unhooker


Read our article about Unreal rootkit...


Released free Rustock Rootkit(lzx32.sys) removal tool


A#######.sys is a rootkit?


Rootkit Removal instructions: ntsystem.exe


What is BDGuard.sys?


Virus or not? SPTD####.sys


What is mc21.tmp, mc22.tmp, mc23.tmp?


ICQCHK.exe, MSX.DLL free remover...


Services
Ask Computer Guys

Windows startup programs

Articles
Using Registry Tracer...

RegRun against Trojans and Viruses

Specify an order for startup programs

RunGuard prevents a launch...

Using Bootlog Analyser...

They say
"RegRun Security Suite is one of those very rare tool kits that no one who is serious about protecting their PC should ever be without. This toolkit covers all the bases when it comes to eradicating the attempted security threats from malware that we all face - daily. The near real time tech support, direct from Greatis, is nothing sort of superb, something that can be rarely said these days! I have no hesitation in recommending this suite to anyone."

Miles Pearson

Wilders.ORG. Security advisors recommend...

Testimonials
You guys are awesome!!!!
Traci www.pentagonattack911.com

Bob Schmulian:
Absolutely love it and have recommended to many people!

Ian Robinson:
It is FANTASTIC! It has saved my life on more than one occasion since I purchased it less than 6 months ago. I now would not run my system without it... it's worth many times the cost! The service and support are terrific. Helpful - friendly - and accommodating; and generally a reply is received within 12 hours. Just great.

Theodore Soucie:
Since RegRun was installed my system is more stable. I use to experience freezeup daily. I have not had a crash.

Awards
Paul's Picks
Shareware Winner  

More...


Greatis Software Greatis | Security | AppDatabase | Utilities | Delphi/CB | Visual Basic | .NET | just4fun

Contacts | Add to Favorites | Recommend to a Friend | Privacy Policy | Copyright © 1998-2016 Greatis Software

hit counter for tumblr