A forum for reverse engineering, OS internals and malware analysis 

MBRCheck fixing

Forum for announcements and questions about tools and software.

MBRCheck fixing

 #2315  by SecConnex
 Wed Aug 25, 2010 5:52 pm
Hello.

I have noticed when MBRCheck fixes the MBR, it tends to re-write it with Default MBR Code.

As per my research, I kindly recognized that Dell PC Restore, HP Restore, etc, will not function properly without their specific entries in the MBR Code.

When the Dell or HP MBR Code is detected, but say there is a good chance it appears infected, it will be overwritten with Default MBR Code.

Is there a way to have a fix done so the Dell or HP MBR Code could be put back in place, or is there too many variations of their code?

Also, what would be a recommendation for someone, if this issue is to occur of an inaccessible Recovery Partition?

Re: MBRCheck fixing

 #2317  by a_d_13
 Wed Aug 25, 2010 5:56 pm
Hello,

Sadly, there's no good way to restore an OEM MBR. The Whistler bootkit, for example, doesn't save a backup, so it will always be overwritten on infection. Secondly, I have over 100 samples of valid OEM MBRs in my collection now, and no good way to determine on which computers to write them. In addition, if I write an OEM MBR to a non-OEM computer, in some cases it will cause the computer to not boot. As a result, I chose to simply only write the default Windows code so that the computer could boot, and ignore OEM MBRs. I might implement restoring the MBR from a file, though, so that you can restore using a backup.

Thanks,
--AD

Re: MBRCheck fixing

 #2318  by SecConnex
 Wed Aug 25, 2010 6:14 pm
Very well.

Am I correct to say that the Whistler Bootkit would fully replace the MBR code with a copy of Default MBR Code and its malcode?

Or would it just merge its malcode in to the current MBR code?

If the latter, then would it be possible to dump the MBR, and re-write it manually, so it can keep the lines from OEM? Or is that a bit risky?

Re: MBRCheck fixing

 #2319  by a_d_13
 Wed Aug 25, 2010 6:21 pm
Hello,

Whistler doesn't use the Windows boot code at all, actually. Most boot codes are very simple - parse the partition table looking for the bootable partition, and then load the Volume Boot Record into memory and execute it. Whistler has this same functionality (so the computer will still boot), but it's not the same as the Windows boot code and contains additional code that executes the rest of the rootkit. When it overwrites the MBR, it's gone - it doesn't "infect" it like a virus, but instead overwrites the existing code completely.

Thanks,
--AD

Re: MBRCheck fixing

 #2320  by SecConnex
 Wed Aug 25, 2010 6:29 pm
I see. Thanks.

Re: MBRCheck fixing

 #2630  by CloneRanger
 Fri Sep 03, 2010 6:21 pm
How about this.
Avira Boot Sector Repair Tool

Boot repair - no chance to dangerous boot sector viruses under DOS! There is a new tool available to detect and remove boot sector viruses under DOS. All AntiVir users can download the search and repair tool, which contains a signature-VDF as well as a user interface (ANTIVIR.EXE).

http://www.free-av.com/en/tools/9/avira ... _tool.html
 Return to “Tools/Software”