Troj/MBRKill-A

    Category: Viruses and SpywareProtection available since:21 Mar 2013 09:23:33 (GMT)
    Type: TrojanLast Updated:26 Mar 2013 04:56:13 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    Troj/MBRKill-A is a Trojan that overwrites the master boot record. 

    Once installed, Troj/MBRKill-A will attempt to write a 512 byte chunk with the text "PRINCPES" into the MBR and then force an immediate reboot of the infected machine.

    Troj/MBRKill-A also performs the following functions:

    - Tries to open file "JO840112-CRAS8468-11150923-PCI8273V" as a mapped file

    - Tries to create file "%WINDIR%\Temp\~v3.log

    - Tries to kill Pasvc.exe ("paSvc is a process file from company AhnLab, Inc. belonging to product AhnLab Policy Agent.")

    - Attempts to terminate the following process by issuing the command "taskkill /F /IM clisvc.exe" ("clisvc.exe is a CliSvc belonging to ViRobot ISMS from HAURI"). 

    Examples of Troj/MBRKill-A include:

    Example 1

    File Information

    Size
    24K
    SHA-1
    309af225ac59e1d2ffaada11e09f5715bce16c1e
    MD5
    db4bbdc36a78a8807ad9b15a562515c4
    CRC-32
    68ae9795
    File type
    Windows executable
    First seen
    2013-03-20

    Runtime Analysis

    Processes Created
    • c:\windows\system32\taskkill.exe

    Example 2

    File Information

    Size
    150K
    SHA-1
    367f38c1aceb5435bd02b37fa4a71349ce779d7f
    MD5
    b80153b66fdaafedfc0a65bcb940687d
    CRC-32
    f6308793
    File type
    Windows executable
    First seen
    2013-03-20

    Runtime Analysis

    Dropped Files
    • C:\WINDOWS\system32\schsvcsc.exe
      Size
      48K
      SHA-1
      64d381f6048e0e02fb89def1e9fb973ed20e2936
      MD5
      88a0a8c649f3f23e8af9e22b0fbeb9ef
      CRC-32
      b8b7b4c3
      File type
      Windows executable
      First seen
      2013-03-20
    • C:\WINDOWS\system32\schsvcsc.dll
      Size
      45K
      SHA-1
      7eaa4dac77cfddcb031e6190013d1380b02caefd
      MD5
      530c95eccdbd1416bf2655412e3dddbe
      CRC-32
      42f75abb
      File type
      Windows executable
      First seen
      2013-03-20
    Registry Keys Modified
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      Shell
      explorer.exe,schsvcsc.exe
    Processes Created
    • c:\windows\system32\cmd.exe
    • c:\windows\system32\schsvcsc.exe

    Example 3

    File Information

    Size
    24K
    SHA-1
    4079b6212a5398b6912a37f27a8c39ca3a7f8585
    MD5
    f0e045210e3258dad91d7b6b4d64e7f3
    CRC-32
    f492a2d8
    File type
    Windows executable
    First seen
    2013-03-22

    Runtime Analysis

    Processes Created
    • c:\windows\system32\taskkill.exe

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection