Content

StealthMBR

Type
Trojan
SubType
Boot
Discovery Date
01/08/2008
Length
varies
Minimum DAT
5204 (01/10/2008)
Updated DAT
5255 (03/19/2008)
Minimum Engine
5.1.00
Description Added
01/09/2008
Description Modified
01/10/2008 6:57 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update January 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infoworld.com/article/08/01/09/New-rootkit-uses-old-trick-to-hide-itself_1.html

--

StealthMBR is a Master Boot Record (MBR) infecting trojan. It infects the Master Boot Record on the system hard disk. StealthMBR also exhibits characteristics of Rootkit stealth-like behavior in that it hooks the system before Windows loads giving it the ability to hide from Windows and other applications running within Windows.

  • The trojan attempts communication on TCP port 80 to: Http:\\ogercnt.info\[removed]

The trojan also creates the following files:

  • %TEMP%\cln5.tmp
  • %WINDIR%\Temp\00000219.tmp
  • %WINDIR%\Temp\ldo6.dll
  • %WINDIR%\Temp\ldo6.tmp

(Exact filenames may vary.)

Symptoms

  • Existence of mentioned files.
  • Unexpected TCP communication to ogercnt.info

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

Repair Instructions:

1. Use specified engine and DAT files for detection and removal of the dropped files. Additional Windows ME/XP removal considerations

2. Please go to the Microsoft Recovery Console and use fixmbr command.

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    •  When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions
    • Reset and remove the CD from CD-ROM drive.

More details on How to install and use the Recovery Console in Windows XP can be found at http://support.microsoft.com/kb/307654

Variants

Variants

    N/A

All Information

Overview -

-- Update January 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infoworld.com/article/08/01/09/New-rootkit-uses-old-trick-to-hide-itself_1.html

--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Stealth MBR rootkit [Gmer]
  • Trojan.Mebroot [Symantec]

Characteristics

Characteristics -

-- Update January 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infoworld.com/article/08/01/09/New-rootkit-uses-old-trick-to-hide-itself_1.html

--

StealthMBR is a Master Boot Record (MBR) infecting trojan. It infects the Master Boot Record on the system hard disk. StealthMBR also exhibits characteristics of Rootkit stealth-like behavior in that it hooks the system before Windows loads giving it the ability to hide from Windows and other applications running within Windows.

  • The trojan attempts communication on TCP port 80 to: Http:\\ogercnt.info\[removed]

The trojan also creates the following files:

  • %TEMP%\cln5.tmp
  • %WINDIR%\Temp\00000219.tmp
  • %WINDIR%\Temp\ldo6.dll
  • %WINDIR%\Temp\ldo6.tmp

(Exact filenames may vary.)

Symptoms

Symptoms -

  • Existence of mentioned files.
  • Unexpected TCP communication to ogercnt.info

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

Repair Instructions:

1. Use specified engine and DAT files for detection and removal of the dropped files. Additional Windows ME/XP removal considerations

2. Please go to the Microsoft Recovery Console and use fixmbr command.

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    •  When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions
    • Reset and remove the CD from CD-ROM drive.

More details on How to install and use the Recovery Console in Windows XP can be found at http://support.microsoft.com/kb/307654

Variants

Variants -

    N/A