Trojan.Mebroot
January 14, 2008 , 7:36 pm
Aflu de la Chip de Trojan.Mebroot
Symantec zice ca:
When the Trojan is executed, it creates the following mutex so that only one instance of it is running on the compromised computer at any time:
Global\7BC8413E-DEF5-4BF6-9530-9EAD7F45338BIt then reads the Master Boot Record (MBR) and then scans the partition table to find the active boot partition of the computer.
The Trojan infects the MBR, copying the original MBR to sector 62 on the hard disk.
It then installs its own kernel loader to sectors 60 and 61 of the hard disk.
Next, it copies a rootkit driver near the end of the active boot partition. The Trojan overwrites around 1149 sectors (467 KB) when copying the driver.
Next, the Trojan creates a .dll file in the current folder where it is executed and then runs the following command:
regsvr32 /s [TROJAN FILE NAME].dll
si ca:
Systems Affected: Windows XP, Windows Vista, Windows Server 2003, Windows 2000
Logic ar fi ca daca ai un LILO sau GRUB in MBR cu toate ca ai si Windows, sa te doara`n pai?pe, nu?
Scris de admin in IT&C Related,Linux,m$ | (5) Comentarii
Mebroot asta face o chestie destul de draguta. Me likes it
Comment by Hacky Maximus — January 14, 2008 @ 8:06 pm
Global\7BC8413E-DEF5-4BF6-9530-9EAD7F45338B asta e in /etc/conf.d sau in /var/spool ca nu inteleg ?
Comment by Licaon — January 14, 2008 @ 8:08 pm
Trojan…Troian…Traian…cu toti niste virusi, asa-i?
Comment by Eugen — January 14, 2008 @ 11:42 pm
logic ar fi ca nu…
dd if=/dev/zero of=/dev/sda bs=512 count=1 => no boot loader.
logic ar fi sa nu rulezi windows ?
Comment by nu conteaza — January 15, 2008 @ 12:38 pm
Uuu nu conteaza is alive
Comment by Alex — January 15, 2008 @ 7:00 pm