Troj/MBRKill-A

Category: Viruses and SpywareProtection available since:21 Mar 2013 09:23:33 (GMT)
Type: TrojanLast Updated:26 Mar 2013 04:56:13 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/MBRKill-A is a Trojan that overwrites the master boot record. 

Once installed, Troj/MBRKill-A will attempt to write a 512 byte chunk with the text "PRINCPES" into the MBR and then force an immediate reboot of the infected machine.

Troj/MBRKill-A also performs the following functions:

- Tries to open file "JO840112-CRAS8468-11150923-PCI8273V" as a mapped file

- Tries to create file "%WINDIR%\Temp\~v3.log

- Tries to kill Pasvc.exe ("paSvc is a process file from company AhnLab, Inc. belonging to product AhnLab Policy Agent.")

- Attempts to terminate the following process by issuing the command "taskkill /F /IM clisvc.exe" ("clisvc.exe is a CliSvc belonging to ViRobot ISMS from HAURI"). 

Examples of Troj/MBRKill-A include:

Example 1

File Information

Size
24K
SHA-1
309af225ac59e1d2ffaada11e09f5715bce16c1e
MD5
db4bbdc36a78a8807ad9b15a562515c4
CRC-32
68ae9795
File type
Windows executable
First seen
2013-03-20

Runtime Analysis

Processes Created
  • c:\windows\system32\taskkill.exe

Example 2

File Information

Size
150K
SHA-1
367f38c1aceb5435bd02b37fa4a71349ce779d7f
MD5
b80153b66fdaafedfc0a65bcb940687d
CRC-32
f6308793
File type
Windows executable
First seen
2013-03-20

Runtime Analysis

Dropped Files
  • C:\WINDOWS\system32\schsvcsc.exe
    Size
    48K
    SHA-1
    64d381f6048e0e02fb89def1e9fb973ed20e2936
    MD5
    88a0a8c649f3f23e8af9e22b0fbeb9ef
    CRC-32
    b8b7b4c3
    File type
    Windows executable
    First seen
    2013-03-20
  • C:\WINDOWS\system32\schsvcsc.dll
    Size
    45K
    SHA-1
    7eaa4dac77cfddcb031e6190013d1380b02caefd
    MD5
    530c95eccdbd1416bf2655412e3dddbe
    CRC-32
    42f75abb
    File type
    Windows executable
    First seen
    2013-03-20
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    explorer.exe,schsvcsc.exe
Processes Created
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\schsvcsc.exe

Example 3

File Information

Size
24K
SHA-1
4079b6212a5398b6912a37f27a8c39ca3a7f8585
MD5
f0e045210e3258dad91d7b6b4d64e7f3
CRC-32
f492a2d8
File type
Windows executable
First seen
2013-03-22

Runtime Analysis

Processes Created
  • c:\windows\system32\taskkill.exe