A new virus called Trojan.Mebroot has been infecting windows computers recently. What makes this virus unique is that it uses Master Boot Record (MBR) to hide itself. MBR contains operating system loading code which is executed first.

A machine gets infected when the user of the system accesses Websites intended to spread the virus (such as warez or illegal downloads). Mebroot uses Internet Explorer vulnerability to write directly to the Master Boot Record of the machine! The trojan itself is around 450kb in size and is stored in the last sectors of the harddisk. It then creates a backdoor on the machine.

Once the backdoor has been established, the program looks for any user access to internet banking sites. It then sends the captured banking userid/password etc. to a thirdparty site! Pretty impressive, eh?

It is estimated that over 5000 machines are affected by this virus.

The easiest way to remove this virus is to run “fixmbr” command from Windows recovery console. This overwrites the virus entry on MBR. Also some of the latest BIOS setting allows you to make MBR readonly. Any modification to MBR will throw a BIOS warning! So enable MBR protection today.

Lastly never visit any Website which offers warez, cracks, serials or free downloads. The real purpose of most of these sites are to spread keyloggers and other types of viruses. If you really want to check those sites, create a virtual pc using vmware or windows virtual pc exclusively for that purpose.