BackDoor.MaosBoot
(TROJ_MEBROOT.Z, Trojan.Mebroot.B, TR/Rootkit.Gen, Parser error, TR/Spy.Gen, PWS:Win32/Sinowal.gen!P, Backdoor.Win32.Sinowal.agy, Mal_DLDER, BDS/Sinowal.fci.30, Backdoor.Win32.Sinowal.aha, BOO/Sinowal.D, Malware-Cryptor.Win32.Kefir, Backdoor.Win32.Sinowal.be, PSW.Sinowal.C.boot, Trojan:DOS/Sinowal.K, Gen:Trojan.Heur.rqW@QkoKfZn, Embedded.Malware-Cryptor.Win32.Kefir, Backdoor.Win32.Sinowal.fci, Backdoor.Win32.Sinowal.a)
Added to the Dr.Web virus database:
2007-12-29
Virus description added:
2007-12-29
Virus type: MBR Rootkit
The malware is an MBR loader that patches OS kernel during OS boot
process and loads its malicious driver to RAM. The rootkit code is
placed in the last sectors of a disk that is the driver doesn’t exist
as a file. It protects and hides itself on a disk. The original MBR
is placed before the first partition of a disk.
The rootkit installs in a system using
Trojan.Packed.278
, which tries to infect first 16 of disks available. After
installation the Trojan initiates a 60 minute delayed system reboot.