Some children build malware to remain busy with the school closed due to Coronavirus pandemic. This is the case with a range, including one with a Coronavirus problem, of new MBRLocker variants.
MBRLockers are programs that modify a computer’s ‘master boot log’ to prevent the OS from starting and then display a ransom note or other message.
Some MBRLockers, such as Petya and GoldenEye, also encrypt the table that holds your drives partition information so that your data can not be accessed or restored without entering a code and paying restitution.
The installer on the malware was identified last week by MalwareHunterTeam to be distributed as COVID-19.exe file on a new malware called “Coronavirus.”
— MalwareHunterTeam (@malwrhunterteam) March 23, 2020
When installed, the malware extracts several files in a folder with a Temp% value and then runs a batch file called Coronavirus.bat. Within this batch file the extracted data will be transferred to C:\COVID-19 folder, various programs are configured to start up the login and then Windows restarts.
When Windows is restarted, an image with the message “coronavirus has infected your PC!” will be shown.
While reboot, it shows a custom message on Master Boot Record stating “Your Computer Has Been Trashed” and Windows will not start.
Luckily, Avast’s review reveals that a workaround was applied to the modified MBR code to restore the original Master Boot Record to boot normally. The CTRL+ALT+ESC keys can be used concurrently by pressing them.