StealthMBR

This page shows details and results of our analysis on the malware StealthMBR

Overview

-- Update November 3, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500000.html
-- ---------------------------------------------------------------------------------------------------------------

-- Update November 02, 2008 --

A new variant of StealthMBR was found to be infecting the Master Boot Record (MBR) of infected systems and collecting personal information. This variant was detected generically as PWS-JA since the 5414 DATs (Oct 24, 2008) and will be identified as StealthMBR in the 5423 DATs. When run, the rootkit behavior of this new variant can already be detected as StealthMBR!rootkit since the 5330 DATs (July 2nd, 2008) using products with Rootkit scanning enabled, e.g. VirusScan Enterprise 8.5.

-- Update January 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infoworld.com/article/08/01/09/New-rootkit-uses-old-trick-to-hide-itself_1.html

--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum Engine

5600.1067

File Length

Varies

Description Added

2008-01-09

Description Modified

2008-11-03

Malware Proliferation

Characteristics

-- Update November 3, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500000.html
-- ---------------------------------------------------------------------------------------------------------------

-- Update November 02, 2008 --

A new variant of StealthMBR was found to be infecting the Master Boot Record (MBR) of infected systems and collecting personal information. This variant was detected generically as PWS-JA since the 5414 DATs (Oct 24, 2008) and will be identified as StealthMBR in the 5423 DATs. When run, the rootkit behavior of this new variant can already be detected as StealthMBR!rootkit since the 5330 DATs (July 2nd, 2008) using products with Rootkit scanning enabled, e.g. VirusScan Enterprise 8.5.

-- Update January 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infoworld.com/article/08/01/09/New-rootkit-uses-old-trick-to-hide-itself_1.html

--

StealthMBR is a Master Boot Record (MBR) infecting trojan. It infects the Master Boot Record on the system hard disk. StealthMBR also exhibits characteristics of Rootkit stealth-like behavior in that it hooks the system before Windows loads giving it the ability to hide from Windows and other applications running within Windows.

  • The trojan attempts communication on TCP port 80 to: Http:\\ogercnt.info\[removed]

The trojan also creates the following files:

  • %TEMP%\cln5.tmp
  • %WINDIR%\Temp\00000219.tmp
  • %WINDIR%\Temp\ldo6.dll
  • %WINDIR%\Temp\ldo6.tmp

(Exact filenames may vary.)

Symptoms

  • Existence of mentioned files.
  • Unexpected TCP communication to ogercnt.info

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

Repair Instructions:

McAfee Products featuring the "Memory for Rootkits" scanning feature (VirusScan Enterprise 8.5, 8.7, VSO) are able to fully detect and repair this threat.  When performing an On-Demand Scan, the "Memory for Rootkits" option must be enabled.

1. Use specified engine and DAT files for detection and removal of the dropped files.

2. Ensure that the option to scan "Memory for Rootkits" is enabled prior to launching the on-demand scan.


The repair procedure, for products without Rootkit scanning features, is as follows:

1. Use specified engine and DAT files for detection and removal of the dropped files. Additional Windows ME/XP removal considerations

2. Please go to the Microsoft Recovery Console and use fixmbr command.

    • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    •  When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    • Select the Windows installation that is compromised and provide the administrator password
    • Issue 'fixmbr' command to restore the Master Boot Record
    • Follow onscreen instructions
    • Reset and remove the CD from CD-ROM drive.

More details on How to install and use the Recovery Console in Windows XP can be found at http://support.microsoft.com/kb/307654

Variants