[AI] Technology Warning On Stealthy Windows Virus

shahnaz shycurrim at yahoo.co.in
Sat Jan 12 03:24:03 EST 2008

BBC NEWS | Technology | Warning on stealthy Windows
Warning on stealthy Windows virus
Security experts are warning about a stealthy Windows
virus that steals login details for online bank

In the last month, the malicious program has racked up
about 5,000 victims - most of whom are in Europe.

Many are falling victim via booby-trapped websites
that use vulnerabilities in Microsoft's browser to
install the attack code.

Experts say the virus is dangerous because it buries
itself deep inside Windows to avoid detection.

Old tricks

The malicious program is a type of virus known as a
rootkit and it tries to overwrite part of a computer's
hard drive called the Master Boot Record (MBR).

This is where a computer looks when it is switched on
for information about the operating system it will be

"If you can control the MBR, you can control the
operating system and therefore the computer it resides
on," wrote Elia Florio on security company Symantec's

Mr Florio pointed out that many viruses dating from
the days before Windows used the Master Boot Record to
get a grip on a computer.

Once installed the virus, dubbed Mebroot by Symantec,
usually downloads other malicious programs, such as
keyloggers, to do the work of stealing confidential

Most of these associated programs lie in wait on a
machine until its owner logs in to the online banking
systems of one of more than 900 financial

The Russian virus-writing group behind Mebroot is
thought to have created the torpig family of viruses
that are known to have been installed on more than
200,000 systems. This group specialises in stealing
bank login information.

Security firm iDefense said Mebroot was discovered in
October but started to be used in a series of attacks
in early December.

Between 12 December and 7 January, iDefense detected
more than 5,000 machines that had been infected with
the program.

Analysis of Mebroot has shown that it uses its hidden
position on the MBR as a beachhead so it can
re-install these associated programs if they are
by anti-virus software.

Although the password-stealing programs that Mebroot
installs can be found by security software, few
commercial anti-virus packages currently detect its
presence. Mebroot cannot be removed while a computer
is running.

Independent security firm GMER has produced a utility
that will scan and remove the stealthy program.

Computers running Windows XP, Windows Vista, Windows
Server 2003 and Windows 2000 that are not fully
patched are all vulnerable to the virus.

Story from BBC NEWS:

      Save all your chat conversations. Find them online at http://in.messenger.yahoo.com/webmessengerpromo.php

More information about the AccessIndia mailing list