Boot.Win32.KILLMBR.AD

February 22, 2021

Analysis by: Angelo Junio

ALIASES:

HEUR:Trojan.Win32.KillMBR.gen (KASPERSKY)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Boot malware
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This Boot malware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

However, as of this writing, the said sites are inaccessible.

TECHNICAL DETAILS

File Size:

107,008 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

19 Feb 2021

Payload:

Connects to URLs/IPs

Arrival Details

This Boot malware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

Ransom.Win32.HUMBLE.THBAGBA

Other Details

This Boot malware connects to the following possibly malicious URL:

http://nk125srv.{BLOCKED}hostapp.com/logger.php

It does the following:

Writes into \.\PhysicalDrive0 until \.\PhysicalDrive24
It edits the affected system's Master Boot Record (MBR) to add its own boot code
After rebooting the system, it then displays the following as its ransom note:

However, as of this writing, the said sites are inaccessible.

SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

16.548.05

FIRST VSAPI PATTERN DATE:

19 Feb 2021

VSAPI OPR PATTERN File:

16.549.00

VSAPI OPR PATTERN Date:

20 Feb 2021

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

Troj.Win32.TRX.XXPE50FFF041

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Identify files detected as Boot.Win32.KILLMBR.AD, then restore the Master Boot Record and delete malware/grayware files using Recovery Console

[ Learn More ]

This procedure allows the user to identify and delete malware/grayware files, and restore the Master Boot Record using Recovery Console:

• On Windows 7 and Server 2008 (R2) systems:

Scan your computer with your Trend Micro product and take note of the name of the malware/grayware detected.
Insert your Windows Installation DVD in the DVD drive, then Press the restart button.
When prompted, press any key to boot from the DVD.
Depending on your Windows Installation DVD, you might be required to select the installation language. Then on the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Next, then click Repair your computer.
Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
If the Startup Repair window appears, click Cancel, Yes, then Finish.
In the System Recovery Options window, click Command Prompt.
In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
Trojan.Win32.KILLMBR.AD

(Note: In Windows 7, all local drives will be assigned one more than normal. For example, the C: drive becomes D:.)
Type exit and press Enter to close the Command Prompt window.
Click Restart to restart the system normally.

• On Windows 8, 8.1, 10, and Server 2012 (R2) systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Insert your Windows Installation DVD in the DVD drive, then restart your computer.
When prompted, press any key to boot from the DVD.
Depending on your Windows Installation DVD, you might be required to select the keyboard layout. Then on the Windows Setup window, choose your language, locale, and input method. Click Next, then click Repair your computer.
Click Troubleshoot>Advanced Options>Command Prompt.
In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
del "{malware/grayware path and file name}"
Type exit and press Enter to close the Command Prompt window.
Click Continue to restart the system normally.

Step 5

Scan your computer with your Trend Micro product to delete files detected as Boot.Win32.KILLMBR.AD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

Did this description help? Tell us how we did.

Boot.Win32.KILLMBR.AD

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

Boot.Win32.KILLMBR.AD

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific