Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Trojan.Mebratix.B – the Ghost in MBR

Created: 30 Apr 2010 16:46:57 GMT • Updated: 23 Jan 2014 18:27:50 GMT
Security Response China's picture
0 0 Votes
Login to vote

Trojan.Mebratix infects the Master Boot Record (MBR) of a compromised computer. It is very harmful, advanced, and rare in the threat landscape. First appearing in March 2010, this version, also known as “Ghost Shadow” in China, copies the original MBR to the next sector and then replaces the original MBR with malicious code. As a result, Trojan.Mebratix will be loaded and then executed before the operating system, and it can’t be removed thoroughly by a normal reboot.

Symantec Security Response has recently discovered a new variant: Trojan.Mebratix.B. This variant enhances itself to hide more secretly on the compromised computer, so that it is more difficult for security software to detect. Trojan.Mebratix.B won’t place its malicious code in MBR directly after it infects it. Rather, it places the malicious code in other sectors, shown in the picture below:

Next, Trojan.Mebratix.B modifies the memory copy parameter in the MBR to load and execute the malicious code that resides in other sectors:

The original MBR code will be encrypted and placed into the third sector:

As a result, Trojan.Mebratix.B runs before the operating system loads. It can hide itself well in the compromised computer, which helps it avoid being detected by the security software. Moreover, the new variant hides the malicious code in the unused sectors of the boot drive. This makes it difficult for normal security tools to find where the virus resides.

Once executed, Trojan.Mebratix.B injects itself into Explorer process, downloads files from http://www.t[REMOVED].cn/n.txt, and steals and then sends private information to http://www. t[REMOVED].cn/count.aspx?i=xxxxx. Trojan.Mebratix.B mainly spreads through drive-by downloads.

As always, Symantec recommends keeping your virus definitions up-to-date in order to prevent threats like this from compromising a computer.