Hacker News new | past | comments | ask | show | jobs | submit login

Problem: user files are still being encrypted regardless of what happens to MBR so you end up doing MBR recovery only to boot a system without your data.



No, the Kaspersky check is done before encrypting any files.

Source: https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-...


It seems checks are done early but MBR destruction only at the end:

During malware initialization phase, this malware maintains a global variable that dictates its behavior. It alters its behavior based on the presence of processes related to certain antivirus applications running in the system.

Specifically, it looks for names of processes belonging to Kaspersky Antivirus and Symantec Antivirus and alters its behavior if it finds them.

Information controlling threats behavior is stored in a global variable (gConfig in the screenshots), which is then used to check during MBR modification.

If Kaspersky Antivirus process is found in the system or if the MBR infection is unsuccessful, the malware then proceeds to destroy the first 10 sectors of the hard drive.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: