Written by Tae Keun Kim - HAURI Virus Lab.

1. A fatal threatening virus

The MBR virus which destroys the PC system after booting has been founded recently, thus users require special attention on their security. If a user PC is infected by MBR(Master Boot Record) virus, the virus will hide itself in the PC until user starts the PC,  then it will destroy the system files after booting done. Thus, HAURI did update the repair pattern to ViRobot urgently.

2. What is MBR?

MBR is the abbreviation for Master Boot Record. Its a 512 bytes start sector of memory device, and it is called "Partition Sector" or "Master Partition Table". MBR is very important because it has the information of location of devided partition on HDD format. Also it contains a program that could read the boot sector records from a partition that has OS. Boot sector records has a program that store the rest part of OS to memory.


[PIC 1] MBR section of real HDD

3. Malicious code, Worm.Win32.S.Zimuse

Worm.Win32.S.Zimuse.195072, a malicious code that we did update is a MBR virus, and it pretends to be a compressed file with password and acts like a  normal Windows service, then detroys user's system MBR sections when a certain date comes. This malicious code has the compress related icon
and users hardly recognize malicious code execution due to fake WinZip feature like below image.

[PIC 2] Malicious code's icon

[PIC 3] Fake WinZip feature when the malicious code is executed

;However, it drops another malicious codes and registers them as system service for auto-execution on system boot.

-Malicious code-
 Msey.sys(Worm.Win32.S.Zimuse.18188)
Mstart.sys(Worm.Win32.S.Zimuse.13100)

Both malicious codes are dropped to a folder that has system drivers and they are auto-loaded when system is loaded.


[PIC 4] Two kinds of malicious codes are dropped to system driver folder.

Also, a malicious code "mseus.exe(Worm.Win32.S.Zimuse.69632.A)" does destroy HDD's MBR sections, so it is loaded automatically on system boot.


[PIC 5] Code that uses registry values


[PIC 6] Code that destroys MBR section on a certain time.


[PIC 7] After 20 days infection, it starts to destroy MBR section.


[PIC 8] It overwrites MBR section with "0".


[PIC 9] If MBR section is destroyed, system boot will not be available.

4. Conclusion

So far, we have looked into a kind of MBR virus, but there are many other kinds of viruses that destroy MBR section and even the various malicious purpose exist. Therefore, it is very hard to ease yourself against this kind of virus even if you are using Anti-Virus program. Of course, using valid Anti-Virus program is always required, but the most important thing will be user's constant concern and cautions about security.