With school closed due to the Coronavirus pandemic, some kids are creating malware to keep themselves occupied. Such is the case with a variety of new MBRLocker variants being released, including one with a Coronavirus theme.
MBRLockers are programs that replace the ‘master boot record’ of a computer so that it prevents the operating system from starting and displays a ransom note or other message instead.
Some MBRLockers such as Petya and GoldenEye also encrypt the table that contains the partition information for your drives, thus making it impossible to access your files or rebuild the MBR without entering a code or paying a ransom.
First MBRLocker with a Coronavirus theme
Last week, MalwareHunterTeam discovered the installer for a new malware with the name of “Coronavirus” being distributed as the COVID-19.exe file.
When installed, the malware will extract numerous files to a folder under %Temp% and then executes a batch file named Coronavirus.bat. This batch file will move the extracted files to a C:COVID-19 folder, configure various programs to start automatically on login, and then restart Windows.
After Windows is restarted, a picture of the Coronavirus will be displayed along with a message stating “coronavirus has infected your PC!”
Analysis by both SonicWall and Avast states that another program will also be executed that backs up the boot drive’s Master Boot Record (MBR) to another location and then replaces it with a custom MBR.
On reboot, the custom Master Boot Record will display a message stating “Your Computer Has Been Trashed” and Windows will not start.
Thankfully, the analysis by Avast shows that a bypass has been added to the custom MBR code that allows you to restore your original Master Boot Record so that you can boot normally. This can be done by pressing the CTRL+ALT+ESC keys at the same time.
Further research by BleepingComputer has discovered another variant from the same developer called ‘RedMist’. When installed, instead of showing the Coronavirus image, it shows an image of Squidward stating “Squidward is watching you”.
Like the Coronavirus version, this variant will warn you that after rebooting you will not be able to gain access to Windows again.
This variant also supports the CTRL+ALT+ESC bypass so that you can restore the original MBR.
It should be noted that these infections do not delete your data or destroy the partition table. Simply restoring the MBR from the backup location will allow you to start Windows and access your data again.
A steady stream of MBRLockers being made
BleepingComputer has been able to find numerous MBRLocker variants being released over the past week using different messages, memes, and inside jokes,
All of these MBRLocker variants are being made with a publicly available tool that was released on YouTube and Discord. BleepingComputer will not be publishing the name of the tool to prevent further variants from being released.
Below is a small sample of the various MBRLockers released this week and created using this utility.
BleepingComputer believes that all of these MBRLockers are being created for ‘fun’ or as part of ‘pranks’ to be played on people.
While it is not known if they are being distributed maliciously, users should still be especially careful of running any programs shared by other people, especially on Discord, without first scanning them using VirusTotal.
1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560 3c62478766e21318fc9896a2135508789e3eb65020dcc463e3665e2e469882cc 070cd31f685e0809b19433735d15f8265662b44391b41807de19c8e96400bb87 539832697774fb2b092df3c545301d1ab576d915137a366b92863645148f6788 8e90cb8b2c8b0db6e64e181838e7f79539eec087cc75830108b1a84697376154 f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224 f9452ba1966aee0e4c1713a6293c9551b3ff97d4fbf065696d4691ad339878b8