Mebroot is a Trojan horse that
overwrites the Master Boot Record of the hard disk with its own code and stores a copy of the original master boot record at another sector (62) while using rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies sectors 0 (MBR), 60, 61 and 62.
...During infection, it copies itself to the %temp% folder and starts as a service. This service overwrites the MBR with its own code and keeps a backup of original MBR in sector 62. It also overwrites sector 60 and 61 with rootkit loader code and rootkit components in the last sectors of the active partition. Later it restarts the system. Upon reboot, the infected MBR takes control of the system and gives control to the rootkit loader code. The loader code then patches the kernel to load and start its rootkit component.
StealthMBR RootkitMebroot is
contracted and spread through ads in spam e-mail attachments, by using shared folders on
peer-to-peer networkes, using
Torrents, and via drive-by downloads when visiting
porn and malicious websites using browser exploits. For more specific details about this infection, read:
If it keeps reappearing after using the "mbr.exe -f" command, then either that fix did not work or you are getting reinfected through one of its spreading venues.
Edited by quietman7, 07 February 2010 - 09:04 AM.