W32/Mkar-A

Aliases	Virus.Win32.Mkar.a W32/Mkar.a Win32/Mkar.A W32.Marak
Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Infected files
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	2 December 2005 12:30:20 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

More Information

Summary
Action
More Information

W32/Mkar-A is a multicomponent prepending virus with backdoor functionality, that targets Windows PE EXE files.

W32/Mkar-A comprises the two executables: main host file and embedded UPX packed component.

W32/Mkar-A marks infected files by appending them with the following string:

"Mrak1pack..............."

W32/Mkar-A copies itself to the following files:

<Current Folder>\001\svchost.exe
<System>\Netstart\svchost.exe

where 001 and Netstart are folders created by the virus, and may create the files unpacker.exe and tmp.exe that are detected as components of the virus.

The following registry entry is set to run svchost.exe at start up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NetStart
<System>\NETSTART\svchost.exe"

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Mrak\

including the following:

HKLM\SOFTWARE\Microsoft\Mrak
ID = <random value>

HKLM\SOFTWARE\Microsoft\Mrak
OM = <random value>

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Mkar-A

Summary

Action

More Information