Home / malware Trojan:Win32/Dembr.A
First posted on 27 March 2013.
Source: MicrosoftAliases :
Trojan:Win32/Dembr.A is also known as Trojan.Win32.EraseMBR.b (Kaspersky), W32/KillMBR.KR (Norman), TR/KillMBR.Y.2 (Avira), Trojan.KillFiles.10563 (Dr.Web), Win32/KillDisk.NAS trojan (ESET), Trojan.MBR.Killer (Ikarus), KillMBR-FBIA (McAfee), Troj/MBRKill-A (Sophos), Trojan.Jokra (Symantec), TROJ_KILLMBR.DS (Trend Micro), W32/Jokra.A (Command).
Explanation :
The trojan stops the Ahnlab and Hauri antivirus programs if it finds either on your computer. It then makes changes to the Master Boot Record (MBR) so that, if you try to restart your computer, it will not start.
Installation
It may have the file name "update.exe" or "schsvcsc.exe". It then drops a file named "schsvcsc.dll" in the <system folder>; this file is also detected as Dembr.A.
The file named "schsvcsc.exe" enables "SeDebugPrivilege" to give the dropped DLL file higher privileges on your computer. It also injects the DLL file into the legitimate Windows process "lsass.exe" so that it automatically runs when Windows starts.
Payload
Modifies the MBR
It modifies the MBR, so that you cannot access your computer.
Stops antivirus products from running
It stops Ahnlab and Hauri security-related following processes running, to make your computer vulnerable to threats:
- pasvc.exe - AhnLab Policy Agent
- clisvc.exe - Hauri ViRobot ISMS Client
Restarts your computer
It runs the following command on your computer, to force it to restart:
shutdown -r -t 0
Because of the modifications it makes to the MBR, restarting the computer will render it unusable.
Additional information
Attempts to avoid detection and removal
It injects code into the legitimate Windows process "svchost.exe" to try to avoid detection and removal.
Analysis by Justin Kim, Horea Coroiu, & Alden Pornasdoro
Last update 27 March 2013
