| Virus Name |
Risk Assessment |
|
Stealth MBR |
Low-Profiled |
| |
| Discovery Date |
Min DAT |
| 10/01/2008 |
5204 |
| |
| Type |
SubType |
|
Trojan |
Boot |
| |
| Virus
Characteristics |
|
StealthMBR
is a Master Boot Record (MBR) infecting trojan. It infects the Master
Boot Record on the system hard disk. StealthMBR also exhibits
characteristics of Rootkit stealth-like behavior in that it hooks the
system before Windows loads giving it the ability to hide from Windows
and other applications running within Windows.
- The trojan attempts communication
on TCP port 80 to: Http:\\ogercnt.info\[removed]
The trojan also creates the
following files:
- %TEMP%\cln5.tmp
- %WINDIR%\Temp\00000219.tmp
- %WINDIR%\Temp\ldo6.dll
- %WINDIR%\Temp\ldo6.tmp
(Exact filenames may very.) |
-
-
- Existence of mentioned
files.
- Unexpected TCP
communication to ogercnt.info
|
|
|
Method Of Infection |
-
- Trojans
do not self-replicate. They are spread manually, often under the
premise that the executable is something beneficial. Distribution
channels include IRC, peer-to-peer networks, newsgroup postings,
etc.
|
| Removal
Instructions |
Repair Instructions:
1. Use specified
engine and DAT files
for detection and removal of the dropped files.
2. Please go to the Microsoft Recovery Console and use
fixmbr command.
- Insert the Windows
XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome
to Setup" screen appears, press R to start the
Recovery Console.
- Select the Windows
installation that is compromised and provide the
administrator password
- Issue 'fixmbr'
command to restore the Master Boot Record
- Follow onscreen
instructions
- Reset and remove
the CD from CD-ROM drive.
More details on How to
install and use the Recovery Console in Windows XP can be
found at
http://support.microsoft.com/kb/307654
-
|
| |
