New Trojan repairs itself after removal

Posted: October 26, 2012 in Encyclopedia viruses, IT Security News, Security Notices
Tags: , ,

Doctor Web

New Trojan

The company “Doctor Web” – a Russian developer of IT security – reports on the distribution of the new Trojan Trojan.GBPBoot.1, has an interesting self-healing mechanism.

In terms of ongoing data Trojan malicious functions, Trojan.GBPBoot.1 include relatively primitive malware: it is able to download from the remote server and run on the infected computer various executable files or run programs that are not stored directly on the victim’s computer. This exhausts its malicious payload. However, this Trojan is interesting primarily because it has the ability to seriously oppose attempts to remove it.

Trojan.GBPBoot.1 consists of several modules. The first of these modifies the master boot record (MBR) on the hard disk, and then writes to the end of the appropriate section (outside the file system) module virus installer module automatically restore the Trojan archive file explorer.exe and the sector with the configuration data. Then places the system folder virus installer, run it, and your own file deletes.

After the launch of its own viral installer is stored in the configuration file and folder shared library, which is registered in the system as a service. Then the installer starts the service and deletes itself.

In turn, the system service loads stored in the system directory configuration file (either reads configuration data previously saved to disk dropper), establishes a connection to the remote management server, provide him with information about the infected system and attempts to download the infected computer given by the server executable. If you download these files failed, re-connection is the next system restart.

If for any reason there is a removal of malicious file services (for example, by scanning the disk antivirus software), triggers the self-healing. Using a modified Trojan MBR when you start the computer starts the procedure to check the drive the file system service, malicious, and the file system supports standard NTFS and FAT32. In his absence Trojan.GBPBoot.1 rewrites standard file explorer.exe property contained “an instrument of self-healing”, after which it runs simultaneously with the loading of Windows. Received by the Office, a copy of the malicious explorer.exe again initiates an infection, and then restores the original and start explorer.exe. Thus, a simple scan of the various anti-virus programs may not lead to the expected result, since the Trojan is able to repair itself in the protected system.

Dr.Web anti-virus software has mechanisms to detect and treat this threat, including recovers corrupted MBR, so Trojan.GBPBoot.1 not pose a serious risk to users of the “Doctor Web”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s