Content
StealthMBR.a
- Type
- Trojan
- SubType
- Boot
- Discovery Date
- 04/17/2009
- Length
- various
- Minimum DAT
- 5590 (04/20/2009)
- Updated DAT
- 5588 (04/18/2009)
- Minimum Engine
- 5.2.00
- Description Added
- 04/17/2009
- Description Modified
- 05/04/2009 5:12 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
StealthMBR is a Master Boot Record (MBR) infecting trojan. It infects the Master Boot Record on the system hard disk. StealthMBR also exhibits characteristics of Rootkit stealth-like behavior in that it hooks the system before Windows loads giving it the ability to hide from Windows and other applications running within Windows.
Upon execution, the trojan creates the following files:
- %TEMP%\B.tmp (identified as PWS-JA.gen.a trojan )
- %TEMP%\1.tmp (identified as Generic Dropper.dk trojan )
- %TEMP%\C.tmp (identified as StealthMBR.a trojan )
- %WINDIR%\Temp\D.tmp (identified as StealthMBR.a trojan )
(the filenames may vary.)
Upon reboot, the trojan queries a large number of like-random remote servers, for instance:
- xtjhvcjh.com
- xtjhvcjh.net
- xtjhvcjh.biz
- vexuvsdi.com
- vexuvsdi.net
- vexuvsdi.biz
- ddtcusfd.com
- dtfbgiuf.com
- etc.
And atttempts to communicate them on TCP Port 80.
Symptoms
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
Repair Instructions:
McAfee Products featuring the "Memory for Rootkits" scanning feature (VirusScan Enterprise 8.5, 8.7, VSO) are able to fully detect and repair this threat. When performing an On-Demand Scan, the "Memory for Rootkits" option must be enabled.
1. Use specified engine and DAT files for detection and removal of the dropped files.
2. Ensure that the option to scan "Memory for Rootkits" is enabled prior to launching the on-demand scan.
The repair procedure, for products without Rootkit scanning features, is as follows:
1. Use specified engine and DAT files for detection and removal of the dropped files. Additional Windows ME/XP removal considerations
2. Please go to the Microsoft Recovery Console and use fixmbr command.
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions
- Reset and remove the CD from CD-ROM drive.
More details on How to install and use the Recovery Console in Windows XP can be found at http://support.microsoft.com/kb/307654
Variants
Variants
N/A
All Information
Overview -
-- Update April 17, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Mebroot-The-Stealthiest-Rootkit-in-the-Wild-720225/?kc=rss
--
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc
Aliases
- PWS:Win32/Sinowal.gen!M
- Trojan.Mebroot
- Win32/Mebroot.BH
Characteristics
Characteristics -
StealthMBR is a Master Boot Record (MBR) infecting trojan. It infects the Master Boot Record on the system hard disk. StealthMBR also exhibits characteristics of Rootkit stealth-like behavior in that it hooks the system before Windows loads giving it the ability to hide from Windows and other applications running within Windows.
Upon execution, the trojan creates the following files:
- %TEMP%\B.tmp (identified as PWS-JA.gen.a trojan )
- %TEMP%\1.tmp (identified as Generic Dropper.dk trojan )
- %TEMP%\C.tmp (identified as StealthMBR.a trojan )
- %WINDIR%\Temp\D.tmp (identified as StealthMBR.a trojan )
(the filenames may vary.)
Upon reboot, the trojan queries a large number of like-random remote servers, for instance:
- xtjhvcjh.com
- xtjhvcjh.net
- xtjhvcjh.biz
- vexuvsdi.com
- vexuvsdi.net
- vexuvsdi.biz
- ddtcusfd.com
- dtfbgiuf.com
- etc.
And atttempts to communicate them on TCP Port 80.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
Repair Instructions:
McAfee Products featuring the "Memory for Rootkits" scanning feature (VirusScan Enterprise 8.5, 8.7, VSO) are able to fully detect and repair this threat. When performing an On-Demand Scan, the "Memory for Rootkits" option must be enabled.
1. Use specified engine and DAT files for detection and removal of the dropped files.
2. Ensure that the option to scan "Memory for Rootkits" is enabled prior to launching the on-demand scan.
The repair procedure, for products without Rootkit scanning features, is as follows:
1. Use specified engine and DAT files for detection and removal of the dropped files. Additional Windows ME/XP removal considerations
2. Please go to the Microsoft Recovery Console and use fixmbr command.
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions
- Reset and remove the CD from CD-ROM drive.
More details on How to install and use the Recovery Console in Windows XP can be found at http://support.microsoft.com/kb/307654
Variants
Variants -
N/A
