Virus stealing financial data from Windows PCs
Windows users warned of rootkit virus on the loose in Europe
Windows PC users are being warned about a clever new virus that can steal online bank account login details.
According to software security specialists, the malicious program has already attacked over 5,000 victims recently, mostly in Europe; however users in the Middle East are also at risk.
The malicious program, which hides deep within the Windows OS to avoid detection, is a type of virus known as a rootkit, and tries to overwrite the part of a PC's hard disk known as the Master Boot Record (MBR).
"If you can control the MBR, you can control the operating system and therefore the computer it resides on," said Elia Florio on security company Symantec's blog.
Once installed, the virus - dubbed ‘Mebroot' by Symantec - downloads other malicious programs such as keyloggers, which track and record key strokes to steal confidential data such as login details for financial institutions.
Computers that run Windows XP/Vista/Server 2003 and Windows 2000 and are not fully patched are all thought to be vulnerable to the virus.
According to McAfee's EMEA security strategist, Toralv Dirro, "The basic Trojan functionality, capturing information such as passwords etc., is neither new nor unusual. What's new is the way the Trojan installs itself on a system and how the rootkit portion of the Trojan works. This Trojan modifies the first code that is run when a PC starts up and maintains control all the way through the boot process. While there have been so-called proof-of-concepts before, this is the first time we are seeing this method used in practice."
Dirro added: "It is not possible to remove this Trojan while it's active, so to get rid of it, it's necessary to boot the computer from the Windows CD and enter the recovery console, making removal very expensive and time-consuming."
Symantec's regional team meanwhile offered the following advice:
To prevent this threat hitting your PC, run your Windows OS using a limited account (e.g. a standard user account, with non-administrative privileges). If using Vista, keep UAC enabled and don't allow suspicious operations on your system. And of course, keep AV software updated.
"At present the threat is detected with the following names: Trojan.Mebroot and Boot.Mebroot. To repair or remove this malware, boot your PC from the ‘Windows Recovery Console CD-ROM' and use the command ‘fixmbr'." Further details are on Symantec's website .