We recently witnessed another rootkit infection which raised the attention of the press and Microsoft users.
It is again a high profile malware whose target is the hard drive’s master boot record (MBR) corrupting the bootstrap of the Windows Operating System.
Once run the malware follows the steps below:
- Open file: \\.\PhysicalDrive0
- Create File: hello_tt.sys
The first step of the malware is the access phase to the hard drive partition where the operating system is installed. That is the sequence where the malware finds the master boot record (MBR).
The second step is the creation of a service dropped and installed on the victim OS.
Once the user restarts the victim machine, the OS does not boot up anymore due to the infection of the MBR.
Some reports found on Internet stated a full reinstall is needed but our experience in laboratory shows that using some tools can resolve the problem without a reinstall required.
An example is the use of FixMBR or MBRFix tools which are really helpful to quickly solve this kind of threat.
Total Defense Security Solutions are able to identify and block the rootkit before it starts its execution protecting the attacked machine.
The threat is identified as Win32\Droplet.LPV.
Recommendations:
- We invite our customers to always update Total Defense Security products to prevent threats that would otherwise compromise their machines.
- In case of missed signatures updates we recommend to contact our Threat Support Team who will give you all the necessary assistance to solve your issue in the best way.