I downloaded a supposed keygen for a program recently and got compromised.
The effect of the infection was that I could not boot my Laptop again after shutting it down the day before I realized it has been compromised. In the end I found out it has overwritten the Master Boot Record (MBR) of the HD with garbage.

I have written down my experience with this unusual virus if it can be considered as such at all and how I managed to get the system back to run in a 7 page document .

Due to the included few screen shots, the pdf-document is about 2.35 MB compressed, which exceeds the allowed limit for attachments. I have therefore uploaded it to filesend.net for anyone that might be interested in reading. The link can to it can be found here ("http://www.filesend.net/download.php?f=c0501a9bfef15e5928e5fbcfe94c53f3")
http://www.filesend.net/download.php?f=c0501a9bfef15e5928e5fbcfe94c53f3

I have attached a copy of what I believe is a virus for anyone that might be interested in having a look at it. The file is not packed and does not have any anti-debugging tricks. At least not that I could see any in action. It has only a few mangled reference strings.

It is however dangerous IMHO.


Attention!!! Virus. Not advisable to be executed on a live system.

Password is "virus" without the quotation marks. The dot extension must be changed from "ex_" to "exe". This is just a measure I am taken to avoid it be executed unintentionally during extraction from the attached archive.

Regards,
TempoMat

Howdy,



I am interested in how you recovered the "system".
Did you recover the entire hard drive?
Did you restore the OS without losing data?
What tools did you use?

Woodma

No



No, I neither restored the entire hard drive nor the OS.

It was not necessary to restore the entire hard drive, as I was somehow very sure that only the MBR of the hard drive was manipulated. I actually spent a few hours checking and analysing all the different hard drives I had and more intensively their corresponding MBRs prior to coming to the conclusion that the MBR might be the only thing that was compromised.

The next thing for me was to find out how to restore the MBR without having to restore the whole OS. Then I remembered from the several images I have had to make in the past (recently almost only with Acronis True Image Echo) that I had come across the option to restore only the MBR.



Sorry I removed the tools used in the original draft before uploading.

First I used the Active@ Partition Manager included in the Active@ Boot Disk to find out about the MBR which brought me to the right path.

Then for the restoration of the MBR I used Acronis True Image Echo either Enterprise or Workstation Server would do. I don't know whether other variants also have the option for restoring only the "MBR and Track 0".

Though I used an Acronis backup from the replaced older Drive for the Laptop, I believe a similar Backup from any of the hard drives would have also work, because from what I found out, almost all the hard drives had the same MBR and Track 0 bytes sequence.

Acronis comes with an option in it's Restore Data Wizard to restore either the entire hard drive or individual partitions as well as "MBR and Track 0". Please refer to the attached image from one of the images I have on the Laptop.

Well I just opted to restore only the "MBR and Track 0" and the result was fortunately as expected.

I also know that Acronis can write a new "MBR and Track 0" to a new hard drive that is to be restored. I made it continue with the original one from the backup.

Regards,
TemPoMat

I understand that you deactivated the MBR stub of the virus by re-writing the master boot record from a clean copy. But I somehow doubt that all the malware was in the overwritten MBR. Parts of it may still be hanging in the OS, the registry, or an innocent looking .exe file. I would be weary of your system as is. Do a good disk scan looking for the signatures of this virus in particular, if such signature exist.
send the virus to one of the scan services, figure if it's a recognized threat, and look for the rest of it in your system. . .

Hello naides,

I did not de-active the MBR stub of the virus but reinstalled the original MBR for the hard drive.

I understand your concern.

However I did scan the HD for virus and Rootkit before and after restoring the MBR stub to the hard drive.
I think the main goal of the virus was to prevent the system from booting. I might be wrong but until now, I have not noticed any irregulariy after the restoration.

I will continue to observe my system and scan it periodically.
Regards

Interesting .

Thanks for the info.

Woodmann

mbr virus is generally used to bypass os mitigations in newer os. i havent seen a malware which purpose was to take down a computer/break it in a while. that trend is long gone, may still exist (13 yr old?). the difficulty in surviving and being able to reboot and still run is the goal. should the mbr have already been used to patch up your system using some technique then you're still foobared. given it was garbage, maybe some failed chinese code, their quality control has a history of being poor. should check the mbr for lead. remember you ran a keygen, so the program had full code execution, and had enough knowledge to write mbr. dont forget these things can easily be self modifying, and probably are. rootkit detection wont find a damn thing, it needs to be manually investigated. malicious code maybe embedded now is some other commonly used exe or doc or anything which will revive it, given its not already running. dont forget a backdoor could have downloaded more code than you actually analyzed, and now you have code which you dont even know about that got transmitted. think pi rat etc. wipe the mbr and format the hdd, black and yellow black and yellow. dongs. btw nice sample though, and good submission. As a tip, always run your keygens in a vm like virtualbox from sun (free) and see the behavior first. dongs you know what it is.

Next time check that kind of stuff with Buster Sandbox Analyzer.

http://bsa.isoftware.nl/