New Coronavirus-Themed Malware Locks You Out of Windows

With school closed due to the Coronavirus pandemic, some kids are creating malware to keep themselves occupied. Such is the case with a variety of new MBRLocker variants being released, including one with a Coronavirus theme.

MBRLockers are programs that replace the ‘master boot record’ of a computer so that it prevents the operating system from starting and displays a ransom note or other message instead.

Some MBRLockers such as Petya and GoldenEye also encrypt the table that contains the partition information for your drives, thus making it impossible to access your files or rebuild the MBR without entering a code or paying a ransom.

Petya Ransomware
Petya Ransomware

First MBRLocker with a Coronavirus theme

Last week, MalwareHunterTeam discovered the installer for a new malware with the name of “Coronavirus” being distributed as the COVID-19.exe file.

MHT Tweet

When installed, the malware will extract numerous files to a folder under %Temp% and then executes a batch file named Coronavirus.bat. This batch file will move the extracted files to a C:COVID-19 folder, configure various programs to start automatically on login,  and then restart Windows.

Coronavirus.bat file
Coronavirus.bat file

After Windows is restarted, a picture of the Coronavirus will be displayed along with a message stating “coronavirus has infected your PC!”

The Coronavirus image shown after the first reboot
The Coronavirus image shown after the first reboot

Analysis by both SonicWall and Avast states that another program will also be executed that backs up the boot drive’s Master Boot Record (MBR) to another location and then replaces it with a custom MBR.

MBR being backed up and overwrriten
MBR being backed up and overwritten
Source: SonicWall

On reboot, the custom Master Boot Record will display a message stating “Your Computer Has Been Trashed” and Windows will not start.

MBRLock lock screen
MBRLock lock screen

Thankfully, the analysis by Avast shows that a bypass has been added to the custom MBR code that allows you to restore your original Master Boot Record so that you can boot normally. This can be done by pressing the CTRL+ALT+ESC keys at the same time.

Further research by BleepingComputer has discovered another variant from the same developer called ‘RedMist’. When installed, instead of showing the Coronavirus image, it shows an image of Squidward stating “Squidward is watching you”. 

Like the Coronavirus version, this variant will warn you that after rebooting you will not be able to gain access to Windows again.

Squidward/RedMist versionsd
Squidward/RedMist version

This variant also supports the CTRL+ALT+ESC bypass so that you can restore the original MBR.

It should be noted that these infections do not delete your data or destroy the partition table. Simply restoring the MBR from the backup location will allow you to start Windows and access your data again.

A steady stream of MBRLockers being made

BleepingComputer has been able to find numerous MBRLocker variants being released over the past week using different messages, memes, and inside jokes,

All of these MBRLocker variants are being made with a publicly available tool that was released on YouTube and Discord. BleepingComputer will not be publishing the name of the tool to prevent further variants from being released.

Below is a small sample of the various MBRLockers released this week and created using this utility.

BleepingComputer believes that all of these MBRLockers are being created for ‘fun’ or as part of ‘pranks’ to be played on people.

While it is not known if they are being distributed maliciously, users should still be especially careful of running any programs shared by other people, especially on Discord, without first scanning them using VirusTotal.

IOCs

1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560
3c62478766e21318fc9896a2135508789e3eb65020dcc463e3665e2e469882cc
070cd31f685e0809b19433735d15f8265662b44391b41807de19c8e96400bb87
539832697774fb2b092df3c545301d1ab576d915137a366b92863645148f6788
8e90cb8b2c8b0db6e64e181838e7f79539eec087cc75830108b1a84697376154 
f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224
f9452ba1966aee0e4c1713a6293c9551b3ff97d4fbf065696d4691ad339878b8

Kent

Next Post

These drugs don’t target the coronavirus—they target us | Science

Fri Apr 3 , 2020
Researchers will start to treat COVID-19 patients at Aarhus University Hospital with a drug named camostat mesylate that targets a human protein. HENNING BAGGER/AFP via Getty Images By Kai KupferschmidtApr. 2, 2020 , 11:10 AM Science’s COVID-19 reporting is supported by the Pulitzer Center. In another example of the blinding […]