The driver contains a list of strings (see below) that occur in the processes of popular antivirus programs. The hook processes the PE header in the loaded image by viewing the ‘Security’ section of the ‘DataDirectory’ array. Launched processes are intercepted by the malicious driver using PsSetLoadImageNotifyRoutine. It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system won’t crash when it is replaced. The installed hook replaces the system driver fips.sys with the malicious driver which was written to the start of the hard drive in an encrypted format. Once a specific part of the system has been booted, the bootkit intercepts the function ExVerifySuite. Then the bootkit restores the original MBR and resumes the normal boot process. The first thing it does is to substitute the INT 13h interrupt by modifying the interrupt vector table. The malicious program gains control as soon as the infected computer boots. Starting with the fourth sector, it installs an encrypted driver and the remaining code.įragment from the start of the hard disk infected by More specifically, it saves the old MBR to the third sector and replaces it with its own. This malicious program infects the hard drive’s boot sector. The dropper is among the files downloaded by the Trojan-downloader. This downloader is remarkable in that it downloads other malicious programs using a NSIS engine and stores all links in the relevant NSIS-script.įragment of the NSIS script for
The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.
a malicious program which infects the hard drive’s boot sector. We recently discovered a new bootkit, i.e.
0 kommentar(er)
