Home / malware Trojan.Mebroot.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Mebroot.B is also known as PSW.Sinowal.C.boot , BackDoor.MaosBoot , Backdoor.Win32.Sinowal.ck.
Explanation :
This is a small malware that is located in the Master Boot Record (MBR) of the disk. When de PC is starting up, the infected MBR is loaded into memory and executed. The virus first reserves memory for its body by substracting 2 from the total amount of conventional memory installed (in order to hide its traces and prevent the OS from overwriting it). Then, it will move its first 256 bytes in the memory hole created, read two more sectors from the disk (61 & 62 which contain malware code as well), and it will hook the 13h interrupt vector (BIOS disk service), functions 2 and 42h (responsabile for reading sectors into memory). It will then load the original MBR code, located on cylindre 0, sector 63 (last physical sector from that head) at the address 0:7C00h and execute it. Since the read services of the interrupt 13h are hooked by the virus, each time the original MBR or the BOOT sector will perform read operations from the disk, the virus will be activated. (However, after the operating system is up and running, disk I/O are made using drivers, not the interrupt 13h, thus, the virus will not intercept disk-reads anymore).
During the BOOT sequence, the virus will execute its own kernel loader (located on sectors 61 & 62), which will patch the windows kernel into memory, in order to load a specific rootkit-driver and prepare the execution of other malware components already present in the system.Last update 21 November 2011
