Weekly Review – Oldschool reborn

Todays review is quiet a looker. Who would have thought that old MBR virus infection techniques could become means to hide new e-threats? Trojan.Mebroot.B is one of the smarter things in circulation these days.



Adware.NaviPromo malware family is
an advanced and difficult-to-detect adware that runs silently on the infected
computer. It uses rootkit techniques to hide its files on disk and memory. It
also hides its registry entries.

comes bundles with other applications that can be downloaded from the following
locations: netgamebox.com,
ediaplayer.com, planet.com, skinner.com, stro.com, cord.com, ngerskinner.com

Adware.Navipromo usually resides in
%system% or the Local SettingsApplication Data folder of the current user.

its first execution it creates the one or more of the following files in the
same directory it was ran from: [random_name].dat,
[random_name]_nav.dat, [random_name]_navps.dat, [random_name]_navup.dat, [random_name]_navtmp.dat,
[random_name]_m2s.xml, [random_name]_m2s.zl

injects code into explorer.exe and connects to the Internet. After monitoring
the victims browsing habits it sends the data to its creators and receives
targeted advertising material. This is displayed by the e-threat in annoying
pop-ups on the desktop.

Adware.Navipromo also tries to update itself by downloading an executable file in

also adds registry entries to mark its presence on the system.


This is a
small e-threat that resides in the Master Boot Record (MBR) of the disk. When
the infected PC starts up Trojan.Mebroot is executed. The Trojan first
reserves memory for its body by subtracting 2 from the total amount of
conventional memory installed (in order to hide its trances and prevent the OS
from overwriting it).

If will
hook certain BIOS functions responsible with disk reading and loading sectors
into memory. After this step, it will load the original MBR into memory and
execute it. Because the disk services are hooked, all the read actions
performed by the MBR or the boot sector will activate the virus (true only
while the processor is in real mode).

During the
boot sequence the e-threat will execute its own kernel loader which will
execute and patch the windows kernel into memory, in order to make it load a
specific rootkit-driver and prepare the execution of other malware already
present on the system (most probably password stealers).


Information in this article is
available courtesy of BitDefender virus researchers: Stefan Catalin Hanu and Lutas Andrei Vlad