MBR rootkit – here’s some references

Prevx Blog has a good writeup located at prevx.com/blog/75/Master-Boot-Record-Rootkit…

SANS Internet Storm Center has released an interesting timeline story – link here.

From the post based to Verisign iDefense data:


  • Oct. 30, 2007 – Original version of MBR rootkit written and tested by attackers
  • Dec. 12, 2007 – First known attacks installing MBR code
    about 1,800 users infected in four days.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.

10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

  • Paul Enns

    I have been infected with the mbr rootkit for 4years.No one would believe me.The one i have is much more advanced and also flashes bios so rootkit cannot be removed.And it also updates any firmware on my computer.I have rebuilt my computer 4 times.Replacing everything.Allso tracked hacker to Russia.Everytime I rebuild I am attacked again.I have tried every tool.utility on the web.I still have infected hard drive,motherboards,dvd drives and ect.Who can I mail these parts too.So someone can find a fix for it.

  • 666bot

    im with u man. Ive just been hit bysomething from redlightcentre.com. It spawns itslef when u try and reformat or even fixmbr. Nothing works. Ive just installed extra security to try and restrict access, but the fact that they are present makes me angry. For a so called legitimate site, it exploits, hacks and steals information.

  • Ty

    YES! Finally someone else with the same problem. I have been trying to figure this out for along time now. NO ONE has believed me, but I have infected many parts of my PC with this because it is so persistent. I think it uses blended methods to infect the BIOS via firmware flash and then it updates the firmware of any other hardware on the machine via the same methods.

    You can tell your firmware is infected because the version numbering will have spaces in the wrong places also, if you attempt to flash the firmware with a good flash patch it will fail, either triggering an error or destroying your hardware.

    Not only this, there is something about the rootkit that dosen’t like flash. Flash video will lock the machine up. I’ve spent years replacing video cards and motherboards trying to fix this, only to have the problem return practically immediately after it seems to work.

    Please reply back with your experiences so we can try to expose this horrible malware!

  • ant

    hey guys, has anyone tried this free thing on the net called the trojan.mebroot removal tool 1.01??