New Backdoor Trojan Nukes Windows Boot Process
A new backdoor trojan can halt Windows even before the OS even completes the boot process.
Microsoft's Chun Feng said Friday that a new piece of malware capable of nuking the Windows boot process has been discovered. Rather than loading up the operating system, users are greeted with a black screen displaying a single-line, ASCI-based banner.
"A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine," Feng said. "The modification to the MBR is like the old "Stoned" virus for DOS. However, in this case, the MBR does nothing but display a banner in the center of the screen and freeze the PC. We detect the new MBR as Trojan:DOS/Yonsole.A."
Yonsole can infect popular, mainstream versions of Windows platforms--XP, Vista, and Windows 7--by dropping a DLL into C:\Windows\System32. The trojan can also dump a DLL into C:\Winnt\System32 on machines running Windows 2000 and NT. Yonsole was actually discovered earlier this month, so most anti-virus programs--including Microsoft Security Essentials--should already provide protection.
- Dell Confirms Switch to Google's Chrome OS
- Another Look at Battlestar Galactica Online...CGI
- See New Rage Screenshots, E3 Demonstration
- The Fable 3 Trailer From E3 (Xbox 360, Windows)
- This is What DC Universe Online Will Look Like
- Valve: Apple, ATI, Nvidia to Improve Mac Gaming
- iPhone 4 has twice the RAM of iPad and 3GS
- Corsair Nova 32GB SSD On Sale for $69.99
- Deals for June 18: Big HDTVs for Under $1,000
- Dell Inspiron R Line Gets Core i3/i5 and Intel WiDi
- Acer: We'll Overtake HP in Laptops By End of Year
- Thermaltake's $99 Case Packs SATA HDD Dock
- Report: AMD Phenom II X6 CPUs in Short Supply
- Sony's Laptop Can Also be a 3G Wireless Hotspot
- Deals for June 22: Need a New 120Hz LCD HDTV?
- The Winners of Our Norton and Movie Contest
- Best Buy Now Selling Intel's 34nm SSDs
- Acer AS8943G Notebooks Does DirectX 11, 1080p
This is a more serious threat... usually virus are not that harmful even if they are really annoying.
I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
fix = fdisk /mbr
fix = fdisk /mbr
Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
Like red said, a virus is a virus, no matter how you put it. They all basically do the same thing - mess with your copy of Windows, not going any deeper than the Hard Disk. Until the day comes when someone finds a way to get past the HDD/Software level and truly embed a virus into the RAM or Bios, I'm perfectly happy. Besides, you shouldn't really have to worry as long as you're not doing anything illegal or watching pr0n and the like.
@redgarl
I do believe a while back there was a virus that did exactly that. It was early on when mobo makers started using flash to store the BIOS. Now days, they have a removable chip that you can replace (or high end systems with two separate copies of the BIOS) in the event that you flash improperly, or heaven forbid, another nefarious virus figures out a good way to wipe it out on you.
Back then, the virus basically shelled your mobo and you had to get a new one.
Google the CIH Virus
fix = fdisk /mbr
not to mention formating your MBR would sacrifice your OS settings.. thus making you reinstall your OS.
Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
True, but that would at least let you run an antivirus program and find the dll. That avoids having to wipe your drive and lose everything.
So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
No need for that, boot from a rescue disc such as ubcd 4 win. Also, fdisk command may not be necessary. I think if you boot from a Vista or Win7 disc, that it can detect and fix things like that correct?
Mitch's solution is really the most elaborate and correct way to do it. I would advise another scan after those steps in safe mode within the machine, perhaps with MBAM.
All fdisk /mbr would do is clear the mbr (more or less), not really do anything directly relating to fixing it.
OTLPE + fixmbr = win
It sucks how Windows, having one of the largest market shares of Operating Systems, is always under constant attack.
When UEFI comes out, if a virus was to take over THAT firmware then your computer would be screwed, could do almost anything!
next thing you know they'll have viruses that are stored in the capacitors of ur power supply and cause a mass overload, shortening the circuit in ur wall which will in turn make ur electricity go out in the house. Hell, pretty soon they'll find a way to give ur computer AIDS.
/kill C Drive
I thought Win 7 was meant to be uber secure, with permissions to install stuff and such? This sounds like the bad old days again, when will they learn and implement tighter security?
Oh no! My downloaded pornz are at risk!
I thought Win 7 was meant to be uber secure, with permissions to install stuff and such? This sounds like the bad old days again, when will they learn and implement tighter security?
Are you the CEO of lifelock?
not to mention formating your MBR would sacrifice your OS settings.. thus making you reinstall your OS.
Formatting your MBR does not sacrifice your OS settings in any way.
So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
Another alternative would comprise of loading a pre-installed environment via disc/flash drive, then running a virus scan from there.
Another alternative would comprise of loading a pre-installed environment via disc/flash drive, then running a virus scan from there.
Preferably the newest Windows PE where you can run the recovery console right after.
whats next a virus that drops child pron on a pc.
or a virus that affects both windows and mac?
Fix = Linux LiveCD
This is a more serious threat... usually virus are not that harmful even if they are really annoying.I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
Theres one out there. i lost a desktop motherboard to it luckily it was a junk computer
I thought that boot viruses were uncommon these days because the OS protects the boot sector.
Yes fixing it with MBR tool wont erase it. I just remember my old days dealing with boot viruses I never knew this things still exist.
were can i get it ?
So what the hell is the point of a virus like this? There is no way for it to monetize its infection or co-opt your machine for botnet purposes.
As its a trojan and not a virus its an easy fix available, replace the user. For you who dont know the difference between trojan and virus and it appears to be far more than expected from a site lite this...
Virus=Infects the machines it get in contact with - without the need to "install it".
Trojan=Appears to be something else or "bundeled" with real software and fools the user into installing it wich is the case here judging the headline, and when the user allows the install they simply tells the OS that this pice of software is alright so what is the weaker link? The person behind the wheel or the machine just complying to the users wishes?
If you want to bash MS for allowing people to install software on their computers - go ahead and make a fool of yourself! Its like saying well i disabled my Airbag in the car and got hurt when i crashed later, gee its the manfacturers fault!
Will startup repair or bootrec solve the problem? I think my computer is probably infected with it.
Formatting your MBR does not sacrifice your OS settings in any way.
Try and boot after you format MBR.. Not going to happen.. not to mention you would need a boot disk.. and the majority of us dont know what a boot disk is, how to make one, or have a floppy disk/drive to do it.
Nothing should be allowed to access the MBR unless it is WHITELISTED application. That is the bottom line here.
Microsoft needs to realize that there are some parts of the OS and computer that regular applications just SHOULD NOT TOUCH and go to a whitelisting model for access to those areas.
They did it a little in Windows 7, but they didn't go anywhere near far enough.