Trojan.Mebratix.B – the Ghost in MBR
Trojan.Mebratix infects the Master Boot Record (MBR) of a compromised computer. It is very harmful, advanced, and rare in the threat landscape. First appearing in March 2010, this version, also known as “Ghost Shadow” in China, copies the original MBR to the next sector and then replaces the original MBR with malicious code. As a result, Trojan.Mebratix will be loaded and then executed before the operating system, and it can’t be removed thoroughly by a normal reboot.
Symantec Security Response has recently discovered a new variant: Trojan.Mebratix.B. This variant enhances itself to hide more secretly on the compromised computer, so that it is more difficult for security software to detect. Trojan.Mebratix.B won’t place its malicious code in MBR directly after it infects it. Rather, it places the malicious code in other sectors, shown in the picture below:
Next, Trojan.Mebratix.B modifies the memory copy parameter in the MBR to load and execute the malicious code that resides in other sectors:
The original MBR code will be encrypted and placed into the third sector:
As a result, Trojan.Mebratix.B runs before the operating system loads. It can hide itself well in the compromised computer, which helps it avoid being detected by the security software. Moreover, the new variant hides the malicious code in the unused sectors of the boot drive. This makes it difficult for normal security tools to find where the virus resides.
Once executed, Trojan.Mebratix.B injects itself into Explorer process, downloads files from http://www.t[REMOVED].cn/n.txt, and steals and then sends private information to http://www. t[REMOVED].cn/count.aspx?i=xxxxx. Trojan.Mebratix.B mainly spreads through drive-by downloads.
As always, Symantec recommends keeping your virus definitions up-to-date in order to prevent threats like this from compromising a computer.