NEWS CATEGORIES:

NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>

Find us on Google+

Home > News > Microsoft > Security

June 21st, 2010, 13:18 GMT · By Marius Oiaga

The Windows Boot Process Can Be Killed by New Yonsole.A Backdoor

Adjust text size:

A new piece of malware is capable of killing the Windows boot process, according to Microsoft. Win32/Yonsole.A is a backdoor Trojan, a term that defines a piece of malicious code designed to compromise computers and subsequently connect to a server controlled by the attacker, receive and execute various instructions. One of the functions of Yonsole is to stop Windows startup dead in its tracks. According to Microsoft’s Chun Feng, the malware is capable of doing this because it modifies the Master Boot Record of the infected computer.

“A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine. The modification to the MBR is like the old ‘Stoned’ virus for DOS. However, in this case, the MBR does nothing but display a banner in the center of the screen and freeze the PC,” Feng stated.

Although it was discovered in the first half of this month, all major antivirus makers offer protection against Yonsole, including Microsoft. PCs infected with this piece of malware are no longer under the control of the user. Instead, an attacker can tell the compromised

A system infected with the Yonsole.A Backdoor will no longer start

machine to perform various tasks, as Yonsole is designed to phone home to a remote host for instructions.

“When executed, Backdoor:Win32/Yonsole.A injects itself to services.exe and drops a DLL file to the <system folder>, for example: f00165500k.cmd,” Feng added. “The DLL file contains the backdoor functionality and may be detected as Backdoor:Win32/Yonsole.B. Backdoor:Win32/Yonsole.A installs the dropped DLL as a Service DLL to make sure it is loaded as each Windows start, for example: adds value: "ServiceDll"; with data: "<system folder>\f00165500k.cmd"; under key: HKLM\SYSTEM\CurrentControlSet\Services\F00165500K\Parameters.”

Yonsole can infect a wide range of Windows releases, including Windows 2000 and NT by putting a DLL into C:\Winnt\System32; but also Windows XP, Windows Vista, and Windows 7 through C:\Windows\System32.

FILED UNDER:

TELL US WHAT YOU THINK:

2,937 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:

Microsoft Security Essentials vs. Kaspersky, Panda, Avira, Symantec, McAfee, AVG, BitDefender

Microsoft Killing Microsoft Security Essentials Fake – Security Essentials 2010

IE8 Flexes Security and Privacy Muscles in New Campaign

Panda Cloud Antivirus Adds Behavioral Protection

Microsoft Defends Windows as Google Reportedly Dumps It

READER COMMENTS:

Comment #1 by: Bogdan Botezatu on 22 Jun 2010, 10:33 UTC

reply to this comment

Hehe, the folks at Microsoft must have really rushed with analysis. First of all, the F00165500K.cmd DLL that attaches to svchost.exe and the additional Registry key are named randomly, by using the f[random]k pattern. Chances are that any infected user looking for these specific Registry keys and files will simply not see them, because they have a different name.

Secondly, not all major AV vendors detect Yonsole; on the contrary, we've seen 24/40 (60.00%) for variant A and 26/41 (63.41%) for variant B. And yes, some major AVs missed it ;)

SUBMIT PROGRAM \| ADVERTISE \| GET HELP \| SEND US FEEDBACK \| RSS FEEDS \| UPDATE YOUR SOFTWARE \| ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved. Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.	Copyright Information \| Privacy Policy \| Terms of Use