Didier Stevens

Thursday 22 June 2006

Save Safeboot?

Filed under: Malware — Didier Stevens @ 20:03

There was a new run of the e-mail virus Bagle this week. W32/Bagle.fb@MM, to be more precise.

While reversing it with OllyDbg (in a virtual machine VMware), I discovered that this virus employs a new trick: it deletes the registry key HKLM\System\CurrentControlSet\Control\Safeboot.

Deleting this key prevents you from booting Windows in Safe Mode. You enter Safe Mode by pressing key F8 during the display of the Windows splash screen when (re)booting. While the computer is in Safe Mode, it will have reduced functionality, but it is easier to isolate problems because many non-core components are disabled. Many malware programs won't start when running in Safe Mode, thus allowing you to attempt removal of the programs.

Despite the deletion of the Safeboot key, the Windows Advanced Options Menu will still appear, and you'll be able to select Safe boot. But you'll soon be presented with a BSOD, displaying the STOP 0x0000007B error. According to this Microsoft KB article, a possible reason is: "Information in the Windows XP registry (information related to how the device drivers load during startup) is corrupted".

That's correct, it's highly corrupted, it has been wiped clean by this new Bagle virus!

  BSoB

17 Comments »

  1. […]   « Save Safeboot? […]

    Pingback by Didier Stevens » Blog Archive » Restoring Safeboot — Monday 26 June 2006 @ 20:02

  2. […] Take the W32/Bagle.fb virus. It deletes the SafeBoot key, only a couple of assembly lines are needed to wipe your Safe Mode configuration: […]

    Pingback by Didier Stevens » Cleaning up after an infection, and then? — Saturday 12 August 2006 @ 15:22

  3. I have a weird problem.. I have the Look2Me Virus (guard.tmp) and my computer refuses to go into safe mode.. so I assume that my safeboot has been deleted. I tried system restore but it will only allow me to restore to points I’ve made today and will not allow me to go back any further. Do you have any suggestions?
    Thanks!

    Comment by Kindel — Saturday 4 November 2006 @ 21:25

  4. I recently got a anti-virus program on my computer, i forget the name of it but, after installing it, it frezzes all the time on me. I only just found out that amlware is a bad thing and i havnt a clue what to do, could you help me. thanks,

    regards Andrew

    Comment by Andrew — Monday 13 November 2006 @ 9:48

  5. I have a Trojan-Spy.Win32@mx virus. This virus has constantly been changing my home page and keeps suggesting that I buy a Malware Wiped program, what should I do?

    Comment by Nam Tran — Wednesday 7 March 2007 @ 4:46

  6. The best thing you can do is post your problem on a high-volume
    malware removal forum, like http://forums.spywareinfo.com/

    Comment by Didier Stevens — Wednesday 7 March 2007 @ 17:52

  7. […] includes pictures: How to fully de-gunk a PC of CrapwareJune 22, 2006: According to Didier Stevens, some malware can disable Safe Mode. Ugh. February 9, 2007: Didier Stevens released a .REG file that can be used to restore Safe Mode. […]

    Pingback by Spyware Remove Guide » Blog Archive » Removing Spyware — Monday 25 June 2007 @ 10:40

  8. Hi Didier.

    Thank you for your great work.

    I think my friend’s PC got this virus (and many many more). I tried to run your .reg and reboot, but safemode is still not available.

    I’m sure you have better things to do in your life, but it would be cool to team up with this software to allow offline update:

    http://home.eunet.no/~pnordahl/ntpasswd/

    I tried to run the .reg and immediately shut down windows (power off), and still I cannot run in safe mode.

    Thank you,

    alfonso

    Comment by Alfonso — Tuesday 2 September 2008 @ 22:14

  9. Just one more thing…

    I realized that some malware / virus is not allowing me anymore to add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot .

    As soon as I add it, it’s deleted.

    So I found a workaround for this. I searched and replaced your reg file from SafeBoot to SafeMood, then I started the PC from a disk using UBCD4WIN and renamed the registry entry. And now I’m in safe mode and I can try to run antivirus and antimalware software.

    Thank you for your help!

    Comment by Alfonso — Tuesday 9 September 2008 @ 22:27

  10. That’s an excellent idea Alfonso, thanks for sharing!

    Comment by Didier Stevens — Tuesday 16 September 2008 @ 11:06

  11. […] Live CD Filed under: Malware, Update — Didier Stevens @ 19:39 As more malware seems to delete the SafeBoot keys nowadays, and even prevents you from restoring these keys, I’m posting this “Enhanced […]

    Pingback by Update: Restoring Safe Mode with a .REG file, and a Live CD « Didier Stevens — Wednesday 26 November 2008 @ 19:39

  12. […] malware deletes the SafeBoot registry key to prevent you from booting into Safe Mode. I provide a registry fix to restore these […]

    Pingback by The Undeletable SafeBoot Key « Didier Stevens — Friday 1 January 2010 @ 12:54

  13. Hi…
    My computr is in a terrible soup! It got infected wid sm nasty virus recently which all of a sudden disabled taskmgr, cnt access the registry, gpedit n doesn’t allow me 2 run ANY application .exe file. Each time givs error:”The operatn has been cancelld due to restriction in effect on this computr. Plz contact ur sys. admin.” Im workin in the admin only…n most importantly SAFE MODE IS DISABLED šŸ˜„ on scanning wid NOD32 all viruses gt cleand except Win32 sality virus. tried all possibl advices by dwnloadin RRT, n many more n run ’em…but dey all wnt run(.exe won’t)n hence cudn’t enable safemode. Any HELP wud be deeply appreciated! šŸ™‚
    P.S. im usin XP2. Surprisingly, in my GUEST account, taskmgr n registry cn be opend n i cn run .exe files…but cn’t edit registry ‘coz of permission restriction by admin. šŸ˜¦ iM ‘tryin’ 2 solve this issue without formatting/reinstallin XP.

    Comment by Stef — Sunday 24 January 2010 @ 19:04

  14. Try with the F-Secure Rescue CD https://blog.didierstevens.com/2008/08/21/removing-malware-with-a-live-cd/

    Comment by Didier Stevens — Sunday 24 January 2010 @ 19:58

  15. […] Stevens has posted about restoring SafeMode with a .reg file, adding a bit more to his info about a virus that deletes the SafeBoot key, tricks to restore SafeBoot, and protecting the SafeBoot key from being deleted. While not an […]

    Pingback by Roy Firestein » Links — Thursday 28 January 2010 @ 9:20

  16. Just did the merging of .reg, and booted on Safe Mode…But I cannot log in due to wrong password or wrong user name. What’s the problem ?? I am sure that my user name and password is correct…help!!!

    Comment by Roger Legaspi — Thursday 4 February 2010 @ 23:04

  17. @Roger Legaspi: What’s your OS version? And is this machine a domain member or stand-alone? Check also if it’s not a keyboard setting: type your password in the username field and check it.

    Comment by Didier Stevens — Thursday 4 February 2010 @ 23:38


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.