Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
The leading antivirus vendors will normally state if they are able to detect Sinowal/Mebroot variations. This is easy to find out -- use a search engine to search on "Sinowal detection," for example, and add the company name you're interested in. For instance, here is a Mebroot security response from Symantec Corp.
The problem, however, is that the malware writers will keep on modifying their code to avoid detection. And they will use the very same AV software to test whether their latest tweaked malware remains unrecognized. Unfortunately, it takes time, and new infected machines before any new AV signatures can be released.
To help protect the master boot record, apply write protection, which can still be found in some BIOSes, preventing modification of the MBR. If the operating system needs reinstalling or modification, this setting will have to be temporarily disabled.
If the machine is infected, the best solution is to back up data on the hard drives, and then reinstall and patch the operating system after a low-level format (or better still a new hard disk). The main reason for the reset is that attackers normally infect computers with a selection of malware, some of which will not be detected or removed by antivirus packages. Also, consider using virtual machines or clean disk images to simplify this process, especially if this is not the first time you have been infected.
Historically the solution to repair a damaged Master Boot Record was to recreate it using the fdisk /mbr or fixmbr command, though modern Windows operating systems no longer support this command. However, I have heard good reports of people using the MBRfix utility.
If credit cards or password-protected sites have been used whilst the machine was infected, make sure to immediately change any site passwords and inform banks so that new cards may can be issued.
This was first published in July 2009