Search
Sign in with
Sign up | Sign in
42 comments

New Backdoor Trojan Nukes Windows Boot Process

By - Source: Tom's Hardware US

A new backdoor trojan can halt Windows even before the OS even completes the boot process.

Microsoft's Chun Feng said Friday that a new piece of malware capable of nuking the Windows boot process has been discovered. Rather than loading up the operating system, users are greeted with a black screen displaying a single-line, ASCI-based banner.

"A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine," Feng said. "The modification to the MBR is like the old "Stoned" virus for DOS. However, in this case, the MBR does nothing but display a banner in the center of the screen and freeze the PC. We detect the new MBR as Trojan:DOS/Yonsole.A."

Yonsole can infect popular, mainstream versions of Windows platforms--XP, Vista, and Windows 7--by dropping a DLL into C:\Windows\System32. The trojan can also dump a DLL into C:\Winnt\System32 on machines running Windows 2000 and NT. Yonsole was actually discovered earlier this month, so most anti-virus programs--including Microsoft Security Essentials--should already provide protection.

You need to be logged to post a comment

There are 42 Comments. B
Top Comments
  • 21
    fusion_gtx , June 22, 2010 3:03 AM
    warezmefix = fdisk /mbr


    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
  • 15
    redgarl , June 22, 2010 2:56 AM
    This is a more serious threat... usually virus are not that harmful even if they are really annoying.

    I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
  • 13
    MitchMeister- , June 22, 2010 4:28 AM
    So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
Other Comments
  • 15
    redgarl , June 22, 2010 2:56 AM
    This is a more serious threat... usually virus are not that harmful even if they are really annoying.

    I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
  • -6
    warezme , June 22, 2010 2:59 AM
    fix = fdisk /mbr
  • 21
    fusion_gtx , June 22, 2010 3:03 AM
    warezmefix = fdisk /mbr


    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
  • 5
    someguynamedmatt , June 22, 2010 3:07 AM
    Like red said, a virus is a virus, no matter how you put it. They all basically do the same thing - mess with your copy of Windows, not going any deeper than the Hard Disk. Until the day comes when someone finds a way to get past the HDD/Software level and truly embed a virus into the RAM or Bios, I'm perfectly happy. Besides, you shouldn't really have to worry as long as you're not doing anything illegal or watching pr0n and the like.
  • 8
    anonymous@guest , June 22, 2010 3:46 AM
    @redgarl
    I do believe a while back there was a virus that did exactly that. It was early on when mobo makers started using flash to store the BIOS. Now days, they have a removable chip that you can replace (or high end systems with two separate copies of the BIOS) in the event that you flash improperly, or heaven forbid, another nefarious virus figures out a good way to wipe it out on you.
    Back then, the virus basically shelled your mobo and you had to get a new one.

    Google the CIH Virus
  • -6
    mothandras , June 22, 2010 3:49 AM
    warezmefix = fdisk /mbr


    not to mention formating your MBR would sacrifice your OS settings.. thus making you reinstall your OS.

  • 12
    aeiouy , June 22, 2010 3:50 AM
    Quote:
    fix = fdisk /mbr



    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.


    True, but that would at least let you run an antivirus program and find the dll. That avoids having to wipe your drive and lose everything.
  • 13
    MitchMeister- , June 22, 2010 4:28 AM
    So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
  • 0
    ohiou_grad_06 , June 22, 2010 5:22 AM
    No need for that, boot from a rescue disc such as ubcd 4 win. Also, fdisk command may not be necessary. I think if you boot from a Vista or Win7 disc, that it can detect and fix things like that correct?
  • 0
    psyic , June 22, 2010 5:56 AM
    Mitch's solution is really the most elaborate and correct way to do it. I would advise another scan after those steps in safe mode within the machine, perhaps with MBAM.

    All fdisk /mbr would do is clear the mbr (more or less), not really do anything directly relating to fixing it.
  • 0
    physx7 , June 22, 2010 6:09 AM
    OTLPE + fixmbr = win
  • -3
    joytech22 , June 22, 2010 6:26 AM
    It sucks how Windows, having one of the largest market shares of Operating Systems, is always under constant attack.

    When UEFI comes out, if a virus was to take over THAT firmware then your computer would be screwed, could do almost anything!
  • -3
    chickenhoagie , June 22, 2010 7:25 AM
    next thing you know they'll have viruses that are stored in the capacitors of ur power supply and cause a mass overload, shortening the circuit in ur wall which will in turn make ur electricity go out in the house. Hell, pretty soon they'll find a way to give ur computer AIDS.

    /kill C Drive
  • -4
    Tomtompiper , June 22, 2010 7:37 AM
    I thought Win 7 was meant to be uber secure, with permissions to install stuff and such? This sounds like the bad old days again, when will they learn and implement tighter security?
  • -1
    Strider-Hiryu_79 , June 22, 2010 8:08 AM
    Oh no! My downloaded pornz are at risk!
  • 1
    Strider-Hiryu_79 , June 22, 2010 8:12 AM
    TomtompiperI thought Win 7 was meant to be uber secure, with permissions to install stuff and such? This sounds like the bad old days again, when will they learn and implement tighter security?


    Are you the CEO of lifelock?
  • 1
    Godfail , June 22, 2010 9:30 AM
    mothandrasnot to mention formating your MBR would sacrifice your OS settings.. thus making you reinstall your OS.


    Formatting your MBR does not sacrifice your OS settings in any way.
  • 1
    Diabolical User , June 22, 2010 9:42 AM
    MitchMeister-So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.


    Another alternative would comprise of loading a pre-installed environment via disc/flash drive, then running a virus scan from there.
  • 1
    Godfail , June 22, 2010 9:43 AM
    diabolical userAnother alternative would comprise of loading a pre-installed environment via disc/flash drive, then running a virus scan from there.


    Preferably the newest Windows PE where you can run the recovery console right after.
  • -2
    rkelly1 , June 22, 2010 10:08 AM
    whats next a virus that drops child pron on a pc.
Display more comments
Related Content