Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    The TDSS malware family in itself is already a big threat to users. Known for its rootkit capabilities, TDSS constantly evolves to include more sophisticated means in order to hide its presence in an affected system. The Mebroot malware family, on the other hand, is noted for inflicting master boot record (MBR) infections.

    TrendLabsSM engineers recently came across a Mebroot sample detected as TROJ_MEBROOT.SMC that installs itself in the following new but familiar way:

    1. The main executable drops a file in the %User Temp% directory.
    2. It executes regsvr32 /s using the timeSetEvent function.
    3. It copies the said file into the Print Processor directory as %System%spoolPRTPROCSW32X86{random number}.tmp.
    4. It then loads the file using API AddPrintProcessorA with the help of the
    5. It unloads the file using API DeletePrintProcessorA then deletes it.

    The routine is indeed familiar since this is how a TDSS malware installs other components onto users’ systems, the final payload of which is modifying the MBR by writing thousand of bytes of code and the malware’s image file. It then restarts the affected system by executing the command shutdown -r -f -t 0.

    By modifying the MBR, the malware automatically executes once the affected system is restarted. Its image file then sets off its other routines such as connecting and sending information to a randomly generated URL even if the user is not logged in to Windows.

    Upon restart, the malware will first connect to,, and Once successful, it then attempts to connect to servers as hard-coded domain names. Then it tries to connect to random-looking URLs generated using an algorithm based on the system’s time and date.

    It performs a couple of anti-detection techniques to hide its presence in the affected machine. One is by hooking onto the Windows file, atapi.sys, which is normally used as a driver for optical drives in order to hide on any disk-read function that may be done that can result in its detection. The other one is by hooking onto the network driver to hide itself from network sniffing tools, such as Wireshark and TCPView.

    The move to acquire other malware shows that Mebroot variants are becoming more creative in crafting techniques to infect users’ systems and to hide their routines. As such, it is possible for new variants and other malware families to team up in the future.

    Trend Micro product users need not worry, however, as Smart Protection Network™ already protects them from this threat by detecting and preventing the execution of TROJ_MEBROOT.SMC via the file reputation service.

    Additional text and in-depth analysis by Trend Micro advanced threat research engineer Ding Plazo

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice