New Backdoor Trojan Nukes Windows Boot Process

Microsoft's Chun Feng said Friday that a new piece of malware capable of nuking the Windows boot process has been discovered. Rather than loading up the operating system, users are greeted with a black screen displaying a single-line, ASCI-based banner.

"A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine," Feng said. "The modification to the MBR is like the old "Stoned" virus for DOS. However, in this case, the MBR does nothing but display a banner in the center of the screen and freeze the PC. We detect the new MBR as Trojan:DOS/Yonsole.A."

Yonsole can infect popular, mainstream versions of Windows platforms--XP, Vista, and Windows 7--by dropping a DLL into C:\Windows\System32. The trojan can also dump a DLL into C:\Winnt\System32 on machines running Windows 2000 and NT. Yonsole was actually discovered earlier this month, so most anti-virus programs--including Microsoft Security Essentials--should already provide protection.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
42 comments
    Your comment
    Top Comments
  • fusion_gtx
    warezmefix = fdisk /mbr


    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
    21
  • redgarl
    This is a more serious threat... usually virus are not that harmful even if they are really annoying.

    I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
    15
  • MitchMeister-
    So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
    13
  • Other Comments
  • redgarl
    This is a more serious threat... usually virus are not that harmful even if they are really annoying.

    I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
    15
  • warezme
    fix = fdisk /mbr
    -6
  • fusion_gtx
    warezmefix = fdisk /mbr


    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
    21