Profile Virus Name Wscript/KillMBR Aliases JS/KillMBR, VBS/KillMBR Variants None Date Added 4/27/00 Virus Information Discovery Date: 4/27/00 Origin: Newsgroup Posting Type: Trojan SubType: VbScript Risk Assessment: Low Minimum Dat: 4077 Minimum Engine: 4.0.50 Virus Characteristics This is a script trojan which exploits a security hole in the running of ActiveX signed objects with the use of VB Script. This trojan will write an .HTA file to the local system for execution at next Windows restart. When this .HTA file executes, it will execute code to overwrite the first sector of the hard drive. The minimum requirements for this trojan to function is to have IE5 and Windows Scripting Host installed. This trojan also will run automatically on systems where the user did not install the Microsoft Update Patch which addresses this exploit commonly referred to as the "scriptlet.typelib / Eyedog vulnerability". This trojan facilitates a restart of Windows by issuing a command to exit Windows. This trojan was discovered and detected by using heuristic algorithms by Virus Patrol, a newsgroup scanning service by McAfee AVERT, posted to a newsgroup. This trojan uses code borrowed from Wscript/Kak.worm however does not spread as an Internet worm. Symptoms During the execution of the script, users may see a message similar to the Wscript/Kak.worm with this detail: Driver Memory Error S3 driver memory alloc failed ! Windows may shut down quite unexpectedly after the script has executed. Immediately check the AUTOEXEC.BAT file for changes which include the following line: c:\windows\command\debug < c:\del.asm Delete this line if it exists. AVERT heavily recommends updating to the patch provided by Microsoft for detecting scripts that contain unsigned ActiveX controls. This patch provides a warning, and the user still requires to choose not to run or execute the code. For the location of the patch, follow this link. Additional tips for avoiding such an attack include: * renaming the file DEBUG.EXE to another name and/or moving it off of the hard drive * optionally removing "Windows Scripting Host" on systems which do not implement this automation tool Method Of Infection The VB Script writes "START.HTA" to one of these directories, depending on the language version of Internet Explorer: C:\windows\Menu Démarrer\Programmes\Démarrage C:\windows\Start Menu\Programs\StartUp At next Windows startup, the .HTA file will write a debug script file to the local c: drive as "c:\del.asm". This file is used as source code to be compiled using a tool already on the system named DEBUG.EXE. The startup file AUTOEXEC.BAT is modified with two lines which facilitate running of the .COM file: c:\windows\command\debug < c:\del.asm win /z START.HTA then modifies the AUTOEXEC.BAT file on the local system to run DEBUG to create a small trojan file named "CLEAN.COM". This .COM file is executed and it will overwrite the first sector of the hard drive. Due to the line "win /z" the computer shutdowns in order to induce a new startup procedure (execution of modified AUTOEXEC.BAT). This last process erases the Master Boot Record. Removal Instructions File components of this detection: Use specified engine and DAT files for detection and removal. Delete files found to contain this detection. MBR/Boot Sector recovery: If the MBR/BS damaging payload has invoked, recovery methods require using the FDISK and SYS utilities typically found on an MS-DOS boot disk (BD), or emergency boot disk (EBD). At the DOS prompt, issue the following commands after booting using the BD/EBD: FDISK /MBR SYS C: