Jump to content
Posted 06 February 2010 - 02:27 PM
Posted 07 February 2010 - 08:53 AM
...During infection, it copies itself to the %temp% folder and starts as a service. This service overwrites the MBR with its own code and keeps a backup of original MBR in sector 62. It also overwrites sector 60 and 61 with rootkit loader code and rootkit components in the last sectors of the active partition. Later it restarts the system. Upon reboot, the infected MBR takes control of the system and gives control to the rootkit loader code. The loader code then patches the kernel to load and start its rootkit component.
Edited by quietman7, 07 February 2010 - 09:04 AM.
0 members, 0 guests, 0 anonymous users