Coronavirus malware Windows

Malware creators are taking advantage of the coronavirus pandemic and spreading pandemic-themed malware to demand ransom from users. Since the pandemic has started spreading, security researchers have witnessed a surge in Coronavirus themed MBRLockers.

MBRLockers are a special type of malware that modifies the master boot record (MBR) of the victim’s computer so that it shows a ransom note before Windows boots up.

There are some notorious MBRLockers like Petya and GoldenEye that encrypt partition containing partition information of drives. Thus, it becomes impossible to rebuild the MBR unless the ransom code is entered.

Recently, MalwareHunterTeam discovered a new MBRLocker named “Coronavirus” targeting users with the Covid-19.exe file.

Once installed, the malware extracts users files to a folder in %Temp% and a batch file named coronavirus.bat is executed. Upon its execution, the extracted files are moved to C:\COVID-19 folder. It configures programs to start automatically on login and Windows is restarted.

Coronavirus.bat
Source: Bleeping Computer

As soon as the Windows restarts, a message is displayed “coronavirus has infected your PC!” and an image of a virus is displayed.

Avast and SonicWall analyzed the Coronavirus MBRLocker and found that a program is executed in the background that backs up boot drive’s MBR and replaces it with a custom MBR.

The, now, replaced custom MBR displays a message saying “Your Computer Has Been Trashed” and Windows fails to boot.

The analysis reveals that the Coronavirus MBRLocker creators have added a bypass that allows you to boot normally. Users need to press Ctrl+alt+esc keys simultaneously.

In addition to this Coronavirus malware, Bleeping Computer has found that several MBRLocker variants have been created in the past week with Coronavirus memes, messages and inside jokes.

We recommend our readers to not install any malicious file as it might lock you out of Windows and demand ransom to decrypt your files.

SOURCEBleeping Computer
SHARE
Avatar
Anmol is a tech journalist who handles reportage of cybersecurity and Apple and OnePlus devices at Fossbytes. He's an ambivert who is striving hard to appease existential crisis by eating, writing, and scrolling through memes.