14 DAY TRIAL // A new piece of malware is capable of killing the Windows boot process, according to Microsoft. Win32/Yonsole.A is a backdoor Trojan, a term that defines a piece of malicious code designed to compromise computers and subsequently connect to a server controlled by the attacker, receive and execute various instructions. One of the functions of Yonsole is to stop Windows startup dead in its tracks. According to Microsoft’s Chun Feng, the malware is capable of doing this because it modifies the Master Boot Record of the infected computer.
“A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine. The modification to the MBR is like the old ‘Stoned’ virus for DOS. However, in this case, the MBR does nothing but display a banner in the center of the screen and freeze the PC,” Feng stated.
Although it was discovered in the first half of this month, all major antivirus makers offer protection against Yonsole, including Microsoft. PCs infected with this piece of malware are no longer under the control of the user. Instead, an attacker can tell the compromised machine to perform various tasks, as Yonsole is designed to phone home to a remote host for instructions.
“When executed, Backdoor:Win32/Yonsole.A injects itself to services.exe and drops a DLL file to the <system folder>, for example: f00165500k.cmd,” Feng added. “The DLL file contains the backdoor functionality and may be detected as Backdoor:Win32/Yonsole.B. Backdoor:Win32/Yonsole.A installs the dropped DLL as a Service DLL to make sure it is loaded as each Windows start, for example: adds value: "ServiceDll"; with data: "<system folder>\f00165500k.cmd"; under key: HKLM\SYSTEM\CurrentControlSet\Services\F00165500K\Parameters.”
Yonsole can infect a wide range of Windows releases, including Windows 2000 and NT by putting a DLL into C:\Winnt\System32; but also Windows XP, Windows Vista, and Windows 7 through C:\Windows\System32.
