The trojan stops the Ahnlab and Hauri antivirus programs if it finds either on your computer. It then makes changes to the Master Boot Record (MBR) so that, if you try to restart your computer, it will not start.
It may have the file name "update.exe" or "schsvcsc.exe". It then drops a file named "schsvcsc.dll" in the <system folder>; this file is also detected as Dembr.A.
The file named "schsvcsc.exe" enables "SeDebugPrivilege" to give the dropped DLL file higher privileges on your computer. It also injects the DLL file into the legitimate Windows process "lsass.exe" so that it automatically runs when Windows starts.
Modifies the MBR
It modifies the MBR, so that you cannot access your computer.
Stops antivirus products from running
It stops Ahnlab and Hauri security-related following processes running, to make your computer vulnerable to threats:
- AhnLab Policy Agent
- Hauri ViRobot ISMS Client
Restarts your computer
It runs the following command on your computer, to force it to restart:
shutdown -r -t 0
Because of the modifications it makes to the MBR, restarting the computer will render it unusable.
Attempts to avoid detection and removal
It injects code into the legitimate Windows process "svchost.exe" to try to avoid detection and removal.
Analysis by Justin Kim, Horea Coroiu, & Alden Pornasdoro
The following system changes may indicate the presence of this malware:
- You are not able to start your computer