Trojan.Mebromi
Trojan.Mebromi is a boot-up Trojan that may infect Basic Input and Output Settings (BIOS) and Master Boot Record of the affected computer. Trojan.Mebromi also downloads and executes other malicious files on to the infected system. The Trojan also infects Windows login subsystem to serve own malicious purpose. Upon infection, it causes system instability and reduces overall performance after making changes to Master Boot Record.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
If a computer user clicks or execute Trojan-related file, it will drop this malicious file.
%Temp%\cbrom
To be able to verify the status of the BIOS, the dropped file is used as device. When it recognized an uninfected Award BIOS, Trojan will initiates contamination by dropping and executing this new file.
C:\bios.bin
As you can see, Trojan.Mebromi targets systems with Award BIOS as primary preference. Otherwise, if computer is using a different BIOS, the Trojan only infects the Master Boot Record. It will also embed malicious code on the following files, based on victim’s operating system.
%System%\winlogon.exe (if the operating system is Windows XP or 2003)
%System%\winnt.exe (if the operating system is Win2000)
Lastly, Trojan.Mebromi will connect to a remote server to download and execute other harmful file that may produce serious damages to the system.
Distribution
Trojan.Mebromi arrives on computers in several methods. The most popular method is to spread the Trojan through spamming as attached to email messages. User may also get contaminated when a questionable link from instant messaging application is executed. The link is originally sent from address of a friend on contact lists, but sender is unaware that Trojan on their computer is sending out malicious information. Most of the time, the message will contain tempting links on trending news and events.
Another means of propagation is through drive-by-download. Trojan can enter the computer by simply visiting a web site that is either legitimate but compromised or web pages that is harmful in nature. The process is so covert that user’s may not even notice. On the other hand, Trojan may be installed with user’s knowledge when it pretends as software update or as required components when visiting questionable web sites.
Associated Files and Folders:%Temp%\cbrom C:\bios.bin C:\my.sys C:\calc.exe
How to Remove Trojan.Mebromi
Restore Windows Components
During an infection, Trojan.Mebromi drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.Manual Removal Procedure
1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.
2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected files related to Trojan.Mebromi.
4. Delete or modify any values added by Trojan.Mebromi to the registry if present. Please see the reference.
- To edit the registry, click on Start > Run and type regedit.exe in the field.
- Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.
5. Exit registry editor when done. You may now restart the computer.