14 DAY TRIAL // I must mention from the beginning that every unpatched system connected to the web is vulnerable to this rootkit, so in case you're running an outdated version of Windows XP, you may be in danger pal! Now, let's see some juicy (if you're one of those loving computer infections) details about the rootkit. First of all, you should know that this new threat infects the MBR (Master Boot Record) of the hard disk, so only a few antivirus technologies would be able to detect and stop it. Symantec's antivirus is one of these exceptions, the application labeling the infection as Trojan.Mebroot, Elia Florio wrote on the Symantec blog.
Infecting the MBR means that the Trojan.Mebroot harms you computer even before the operating system is loaded, so antiviruses are somehow useless. "The main problem is that some versions of Microsoft Windows allow programs to overwrite disk sectors directly (including the MBR) from user mode, without restrictions. As such, writing a new MBR into Sector 0 as a standard user is a relatively easy task", the Symantec official explained.
Elia Florio wrote that Trojan.Mebroot affects Windows XP users, no matter what Service Pack has been deployed. Windows Vista users seem to be protected of the rootkit, according to the Symantec report. The Windows XP vulnerability is caused by "some hard-coded values inside the attack code", as the Symantec official wrote.
What's worse is that the infection cannot be removed while the operating system is running, Elia Florio explained. "It must be removed while the rootkit code itself is not running", Florio stated. "During our tests, running the 'fixmbr' command from within the Windows Recovery Console successfully removed the malicious MBR entry. To help prevent similar attacks in the future, and if your system BIOS includes the Master Boot Record write-protection feature, now is a good time to enable it!"