Microsoft security software detects and removes this threat.

This virus can make your PC crash unexpectedly. If you can reboot your PC after the crash, you should run a full antivirus scan.

It can be distributed any ways that are used by other malware, for example, by exploiting vulnerabilities, or installed by other malware, for example TrojanDropper:Win32/Rovnix.H.

Find out ways that malware can get on your PC.  

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Run the Bootrec.exe tool

To completely remove this threat you might need to run the Bootrec.exe tool using your Windows installation CD.

For Windows 8:

  1. Put your Windows 8 media in the DVD drive and restart your PC.
  2. Select a language, time and currency, and keyboard or input method, and then click Next.
  3. Click Repair your computer.
  4. Click Troubleshoot, then Advanced options.
  5. Click Command Prompt and then type Bootrec /FixBoot and then press Enter.
  6. Type Exit and the press Enter.
  7. At the Choose an Option screen click Continue.
  8. Remove the Windows 8 CD from your DVD drive and restart your PC.

For Windows 7:

  1. Put your Windows 7 media in the DVD drive and restart your PC
  2. Press any key when you are prompted.
  3. Select a language, time and currency, and keyboard or input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the SystemRecovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe /fixboot, and then press Enter.
  8. Remove the Windows 7 CD from your DVD drive and restart your PC.

Threat behavior

This threat is a malicious Volume Boot Record (VBR), which is loaded at boot time.

It intercepts the hard disk I/O (input/output) operation, or system memory layout functions, to patch the PC's boot module. It also tries to tamper with Windows kernel data to load its own malicious driver. When your PC starts, the malware is loaded instead, and you may experience crashes.

The malicious driver injects other malware components, for example Trojan:Win32/Claretore.L and Trojan:Win32/Vundo, into certain system processes such as svchost, or other processes related to programs such as firefox, iexplorer, and chrome.

To hide its presence on your PC, the loaded driver intercepts the hard disk I/O (input/output) operation, and returns the original clean copy if the VBR is accessed.

It also provides a private network stack to prevent the PC from using its standard network. Some versions of the threat also contain a backdoor that it uses to get other malicious components from the server.

Analysis by Jim Wang


The following could indicate that you have this threat on your PC:

  • Your PC crashes when you try to start it


Alert level: Severe
First detected by definition: 1.167.1347.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 06, 2014
This entry was first published on: Apr 17, 2014
This entry was updated on: May 05, 2014

This threat is also detected as:
No known aliases