virus-4915859_640

Some children build malware to remain busy with the school closed due to Coronavirus pandemic. This is the case with a range, including one with a Coronavirus problem, of new MBRLocker variants.

MBRLockers are programs that modify a computer’s ‘master boot log’ to prevent the OS from starting and then display a ransom note or other message.

Some MBRLockers, such as Petya and GoldenEye, also encrypt the table that holds your drives partition information so that your data can not be accessed or restored without entering a code and paying restitution.

The installer on the malware was identified last week by MalwareHunterTeam to be distributed as COVID-19.exe file on a new malware called “Coronavirus.”


When installed, the malware extracts several files in a folder with a Temp% value and then runs a batch file called Coronavirus.bat. Within this batch file the extracted data will be transferred to C:\COVID-19 folder, various programs are configured to start up the login and then Windows restarts.

Coronavirus.bat file

Coronavirus.bat file
Credit: Bleeping Computers      

When Windows is restarted, an image with the message “coronavirus has infected your PC!” will be shown.

coronavirus-locker
The Coronavirus image is shown after the first reboot

Sonic Wall and Avast analysis also notes a separate program to backup the Master Boot Record (MBR) of the boot drive to a different location and then replace it with a new MBR.

While reboot, it shows a custom message on Master Boot Record stating “Your Computer Has Been Trashed” and Windows will not start.

Luckily, Avast’s review reveals that a workaround was applied to the modified MBR code to restore the original Master Boot Record to boot normally. The CTRL+ALT+ESC keys can be used concurrently by pressing them.