Known as a "rootkit" on websites created for the purpose of exploiting a vulnerability in Internet Explorer to install attack code. Security experts warned that Mebroot is a dangerous virus and difficult to detect because it is hidden deep in the operating system. The program seeks to overwrite a part of the main boot area (Master Boot Record - MBR). This is the area of the hard drive that the computer first reads when power is turned on, to find the operating system parameters.
Through the blog of security firm Symatec, Mr. Elia Florio pointed out that many virus programs take over before Windows uses MBR, thus controlling the operating system. Once installed, Mebroot paves the way for other malicious programs to download, such as content-stealing software, to steal confidential information. Most of these programs are inactive until computer owners access online banking systems.
Viruses exploiting bank account numbers appear Picture 1 Security firm iDefense has confirmed Mebroot has been detected since December 2007, but the virus variant began operating in a series of attacks that occurred at the end of the year. From December 12, 2007 to January 7, 2008, more than 5,000 computers were recorded.
The Mebroot analysis shows that thanks to the MBR mechanism as a shelter, it is possible to re-install associated programs when they are detected and removed by antivirus software. But only a few antivirus programs can find it, and Mebroot cannot be removed while the computer is working.
Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are not fully patched are targets that are easily controlled by this virus. The tool of the independent security firm GMER has just launched is considered to promote the function of detecting and removing information theft program introduced by Mebroot.