Follow:

You have been re-routed to the Trojan:Win32/Dembr.A write up because Trojan%3aWin32%2fDembr.B has been renamed to Trojan:Win32/Dembr.A
 

Trojan:Win32/Dembr.A


Trojan:Win32/Dembr.A is a trojan that deletes the Master Boot Record (MBR), rending your computer unusable.

This trojan contains code to ensure that it only runs after 14:00, on March 20, any given year.

Additional remediation steps for Trojan:Win32/Dembr.A

Trojan:Win32/Dembr.A  may make lasting changes to your computer that will NOT be restored by detecting and removing this threat. In such cases, you will need to reinstall Windows, and restore your computer from backup.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

The trojan stops the Ahnlab and Hauri antivirus programs if it finds either on your computer. It then makes changes to the Master Boot Record (MBR) so that, if you try to restart your computer, it will not start.

Installation

It may have the file name "update.exe" or "schsvcsc.exe". It then drops a file named "schsvcsc.dll" in the <system folder>; this file is also detected as Dembr.A.

The file named "schsvcsc.exe" enables "SeDebugPrivilege" to give the dropped DLL file higher privileges on your computer. It also injects the DLL file into the legitimate Windows process "lsass.exe" so that it automatically runs when Windows starts.

Payload

Modifies the MBR

It modifies the MBR, so that you cannot access your computer.

Stops antivirus products from running

It stops Ahnlab and Hauri security-related following processes running, to make your computer vulnerable to threats:

  • pasvc.exe - AhnLab Policy Agent
  • clisvc.exe - Hauri ViRobot ISMS Client

Restarts your computer

It runs the following command on your computer, to force it to restart:

shutdown -r -t 0

Because of the modifications it makes to the MBR, restarting the computer will render it unusable.

Additional information

Attempts to avoid detection and removal

It injects code into the legitimate Windows process "svchost.exe" to try to avoid detection and removal.

Analysis by Justin Kim,  Horea Coroiu, & Alden Pornasdoro


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • You are not able to start your computer

Prevention


Alert level: Severe
First detected by definition: 1.147.94.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 20, 2013
This entry was first published on: Mar 20, 2013
This entry was updated on: Mar 26, 2013

This threat is also detected as:
  • Trojan.Win32.EraseMBR.b (Kaspersky)
  • W32/KillMBR.KR (Norman)
  • TR/KillMBR.Y.2 (Avira)
  • Trojan.KillFiles.10563 (Dr.Web)
  • Win32/KillDisk.NAS trojan (ESET)
  • Trojan.MBR.Killer (Ikarus)
  • KillMBR-FBIA (McAfee)
  • Troj/MBRKill-A (Sophos)
  • Trojan.Jokra (Symantec)
  • TROJ_KILLMBR.DS (Trend Micro)
  • W32/Jokra.A (Command)