Sign in with
Sign up | Sign in

New Backdoor Trojan Nukes Windows Boot Process

By - Source: Tom's Hardware US | B 42 comments

A new backdoor trojan can halt Windows even before the OS even completes the boot process.

Microsoft's Chun Feng said Friday that a new piece of malware capable of nuking the Windows boot process has been discovered. Rather than loading up the operating system, users are greeted with a black screen displaying a single-line, ASCI-based banner.

"A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine," Feng said. "The modification to the MBR is like the old "Stoned" virus for DOS. However, in this case, the MBR does nothing but display a banner in the center of the screen and freeze the PC. We detect the new MBR as Trojan:DOS/Yonsole.A."

Yonsole can infect popular, mainstream versions of Windows platforms--XP, Vista, and Windows 7--by dropping a DLL into C:\Windows\System32. The trojan can also dump a DLL into C:\Winnt\System32 on machines running Windows 2000 and NT. Yonsole was actually discovered earlier this month, so most anti-virus programs--including Microsoft Security Essentials--should already provide protection.

Display 42 Comments.
This thread is closed for comments
Top Comments
  • 21 Hide
    fusion_gtx , June 21, 2010 8:03 PM
    warezmefix = fdisk /mbr


    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
  • 15 Hide
    redgarl , June 21, 2010 7:56 PM
    This is a more serious threat... usually virus are not that harmful even if they are really annoying.

    I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
  • 13 Hide
    MitchMeister- , June 21, 2010 9:28 PM
    So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
Other Comments
  • 15 Hide
    redgarl , June 21, 2010 7:56 PM
    This is a more serious threat... usually virus are not that harmful even if they are really annoying.

    I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
  • -6 Hide
    warezme , June 21, 2010 7:59 PM
    fix = fdisk /mbr
  • 21 Hide
    fusion_gtx , June 21, 2010 8:03 PM
    warezmefix = fdisk /mbr


    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
  • 5 Hide
    someguynamedmatt , June 21, 2010 8:07 PM
    Like red said, a virus is a virus, no matter how you put it. They all basically do the same thing - mess with your copy of Windows, not going any deeper than the Hard Disk. Until the day comes when someone finds a way to get past the HDD/Software level and truly embed a virus into the RAM or Bios, I'm perfectly happy. Besides, you shouldn't really have to worry as long as you're not doing anything illegal or watching pr0n and the like.
  • 8 Hide
    Anonymous , June 21, 2010 8:46 PM
    @redgarl
    I do believe a while back there was a virus that did exactly that. It was early on when mobo makers started using flash to store the BIOS. Now days, they have a removable chip that you can replace (or high end systems with two separate copies of the BIOS) in the event that you flash improperly, or heaven forbid, another nefarious virus figures out a good way to wipe it out on you.
    Back then, the virus basically shelled your mobo and you had to get a new one.

    Google the CIH Virus
  • -6 Hide
    mothandras , June 21, 2010 8:49 PM
    warezmefix = fdisk /mbr


    not to mention formating your MBR would sacrifice your OS settings.. thus making you reinstall your OS.

  • 12 Hide
    aeiouy , June 21, 2010 8:50 PM
    Quote:
    fix = fdisk /mbr



    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.


    True, but that would at least let you run an antivirus program and find the dll. That avoids having to wipe your drive and lose everything.
  • 13 Hide
    MitchMeister- , June 21, 2010 9:28 PM
    So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
  • 0 Hide
    ohiou_grad_06 , June 21, 2010 10:22 PM
    No need for that, boot from a rescue disc such as ubcd 4 win. Also, fdisk command may not be necessary. I think if you boot from a Vista or Win7 disc, that it can detect and fix things like that correct?
  • 0 Hide
    psyic , June 21, 2010 10:56 PM
    Mitch's solution is really the most elaborate and correct way to do it. I would advise another scan after those steps in safe mode within the machine, perhaps with MBAM.

    All fdisk /mbr would do is clear the mbr (more or less), not really do anything directly relating to fixing it.
  • 0 Hide
    physx7 , June 21, 2010 11:09 PM
    OTLPE + fixmbr = win
  • -3 Hide
    joytech22 , June 21, 2010 11:26 PM
    It sucks how Windows, having one of the largest market shares of Operating Systems, is always under constant attack.

    When UEFI comes out, if a virus was to take over THAT firmware then your computer would be screwed, could do almost anything!
  • -3 Hide
    chickenhoagie , June 22, 2010 12:25 AM
    next thing you know they'll have viruses that are stored in the capacitors of ur power supply and cause a mass overload, shortening the circuit in ur wall which will in turn make ur electricity go out in the house. Hell, pretty soon they'll find a way to give ur computer AIDS.

    /kill C Drive
  • -4 Hide
    Tomtompiper , June 22, 2010 12:37 AM
    I thought Win 7 was meant to be uber secure, with permissions to install stuff and such? This sounds like the bad old days again, when will they learn and implement tighter security?
  • -1 Hide
    Strider-Hiryu_79 , June 22, 2010 1:08 AM
    Oh no! My downloaded pornz are at risk!
  • 1 Hide
    Strider-Hiryu_79 , June 22, 2010 1:12 AM
    TomtompiperI thought Win 7 was meant to be uber secure, with permissions to install stuff and such? This sounds like the bad old days again, when will they learn and implement tighter security?


    Are you the CEO of lifelock?
  • 1 Hide
    Godfail , June 22, 2010 2:30 AM
    mothandrasnot to mention formating your MBR would sacrifice your OS settings.. thus making you reinstall your OS.


    Formatting your MBR does not sacrifice your OS settings in any way.
  • 1 Hide
    Diabolical User , June 22, 2010 2:42 AM
    MitchMeister-So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.


    Another alternative would comprise of loading a pre-installed environment via disc/flash drive, then running a virus scan from there.
  • 1 Hide
    Godfail , June 22, 2010 2:43 AM
    diabolical userAnother alternative would comprise of loading a pre-installed environment via disc/flash drive, then running a virus scan from there.


    Preferably the newest Windows PE where you can run the recovery console right after.
  • -2 Hide
    rkelly1 , June 22, 2010 3:08 AM
    whats next a virus that drops child pron on a pc.
Display more comments