New Backdoor Trojan Nukes Windows Boot Process

Microsoft's Chun Feng said Friday that a new piece of malware capable of nuking the Windows boot process has been discovered. Rather than loading up the operating system, users are greeted with a black screen displaying a single-line, ASCI-based banner.

"A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine," Feng said. "The modification to the MBR is like the old "Stoned" virus for DOS. However, in this case, the MBR does nothing but display a banner in the center of the screen and freeze the PC. We detect the new MBR as Trojan:DOS/Yonsole.A."

Yonsole can infect popular, mainstream versions of Windows platforms--XP, Vista, and Windows 7--by dropping a DLL into C:\Windows\System32. The trojan can also dump a DLL into C:\Winnt\System32 on machines running Windows 2000 and NT. Yonsole was actually discovered earlier this month, so most anti-virus programs--including Microsoft Security Essentials--should already provide protection.

  • redgarl
    This is a more serious threat... usually virus are not that harmful even if they are really annoying.

    I will start to fear when they will attack my motherboard Bios... until then, AVG is doing the job.
    Reply
  • warezme
    fix = fdisk /mbr
    Reply
  • fusion_gtx
    warezmefix = fdisk /mbr
    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.
    Reply
  • someguynamedmatt
    Like red said, a virus is a virus, no matter how you put it. They all basically do the same thing - mess with your copy of Windows, not going any deeper than the Hard Disk. Until the day comes when someone finds a way to get past the HDD/Software level and truly embed a virus into the RAM or Bios, I'm perfectly happy. Besides, you shouldn't really have to worry as long as you're not doing anything illegal or watching pr0n and the like.
    Reply
  • @redgarl
    I do believe a while back there was a virus that did exactly that. It was early on when mobo makers started using flash to store the BIOS. Now days, they have a removable chip that you can replace (or high end systems with two separate copies of the BIOS) in the event that you flash improperly, or heaven forbid, another nefarious virus figures out a good way to wipe it out on you.
    Back then, the virus basically shelled your mobo and you had to get a new one.

    Google the CIH Virus
    Reply
  • mothandras
    warezmefix = fdisk /mbr
    not to mention formating your MBR would sacrifice your OS settings.. thus making you reinstall your OS.

    Reply
  • aeiouy
    fix = fdisk /mbr



    Not necessarily accurate. If the system is still infected, repairing/replacing the mbr won't matter as when you boot back into windows it could just reinfect your system again.

    True, but that would at least let you run an antivirus program and find the dll. That avoids having to wipe your drive and lose everything.
    Reply
  • MitchMeister-
    So pull the drive, scan on another system, boot into recovery console after virus is removed, boot to recovery console, bootcfg /rebuild, fixmbr, reboot.
    Reply
  • ohiou_grad_06
    No need for that, boot from a rescue disc such as ubcd 4 win. Also, fdisk command may not be necessary. I think if you boot from a Vista or Win7 disc, that it can detect and fix things like that correct?
    Reply
  • psyic
    Mitch's solution is really the most elaborate and correct way to do it. I would advise another scan after those steps in safe mode within the machine, perhaps with MBAM.

    All fdisk /mbr would do is clear the mbr (more or less), not really do anything directly relating to fixing it.
    Reply