Virus stealing financial data from Windows PCs

Windows users warned of rootkit virus on the loose in Europe

  • E-Mail
By  Matthew Wade Published  January 22, 2008

Windows PC users are being warned about a clever new virus that can steal online bank account login details.

According to software security specialists, the malicious program has already attacked over 5,000 victims recently, mostly in Europe; however users in the Middle East are also at risk.

The malicious program, which hides deep within the Windows OS to avoid detection, is a type of virus known as a rootkit, and tries to overwrite the part of a PC's hard disk known as the Master Boot Record (MBR).

"If you can control the MBR, you can control the operating system and therefore the computer it resides on," said Elia Florio on security company Symantec's blog.

Once installed, the virus - dubbed ‘Mebroot' by Symantec - downloads other malicious programs such as keyloggers, which track and record key strokes to steal confidential data such as login details for financial institutions.

Computers that run Windows XP/Vista/Server 2003 and Windows 2000 and are not fully patched are all thought to be vulnerable to the virus.

According to McAfee's EMEA security strategist, Toralv Dirro, "The basic Trojan functionality, capturing information such as passwords etc., is neither new nor unusual. What's new is the way the Trojan installs itself on a system and how the rootkit portion of the Trojan works. This Trojan modifies the first code that is run when a PC starts up and maintains control all the way through the boot process. While there have been so-called proof-of-concepts before, this is the first time we are seeing this method used in practice."

Dirro added: "It is not possible to remove this Trojan while it's active, so to get rid of it, it's necessary to boot the computer from the Windows CD and enter the recovery console, making removal very expensive and time-consuming."

Symantec's regional team meanwhile offered the following advice:

To prevent this threat hitting your PC, run your Windows OS using a limited account (e.g. a standard user account, with non-administrative privileges). If using Vista, keep UAC enabled and don't allow suspicious operations on your system. And of course, keep AV software updated.

"At present the threat is detected with the following names: Trojan.Mebroot and Boot.Mebroot. To repair or remove this malware, boot your PC from the ‘Windows Recovery Console CD-ROM' and use the command ‘fixmbr'." Further details are on Symantec's website .

3169 days ago
jz

I just got this virus last night 4/11/09 and can NOT be fixed with symantecs tool. Nor is it fixed by over writing the MBR with the recovery console. My guess is that neither symantec or microsoft overwrite the ENTIRE master boot record. So the virus is living on some non standard sector perhaps, but still getting loaded. If symantec is smart enough to detect this. Why aren't they smart enough to know they must over write and restore the entire mbr? That said, I'm lucky I'm very experienced. I have a backup.. So I will use a western digital utility to wipe out the first million bytes of my drive. Then I will restore the MBR. Then I will reload the system from backup.. OR I will just reformat, repartition, and then reload my backup. But I really want every one to know that those tools just failed today. If the virus writer is smart enough to put it in a strange place, they should be smart enough to know that. As for this being the first proof of concept. I disagree. The first time I good a boot sector virus was on an apple computer in 1981. I also got one on an amiga computer as well. It's not new. Just kind of unheard of on xp since most viruses work differently. Here's hoping that someone will read this that knows how to contact the right people.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code