Stealthy Windows Rootkit Mebroot Virus doing the rounds on the Internet

Mebroot Windows Rootkit Virus Security experts are now advising Internet users to remain alert and active against a very ‘stealthy’ Windows virus that has the ability to steal customers’ login details for online bank accounts.

In Europe, around 5,000 computer users fell victim to this computer virus in the last month itself. The virus uses vulnerabilities in Microsoft’s operating system Windows. Thus, many of the people only fell victim via ‘booby-trapped’ web sites that use such vulnerabilities in Windows to install the attack code.

It has now come to be known that a Russian group, known for specializing in stealing bank login information, is responsible for the spread of this virus, dubbed as Mebroot by Symantec. Basically, it attacks the Master Boot Record (MBR) of a computer and tries to overwrite a part of it.

According to security experts, the Mebroot virus, which is also known as a rootkit, is dangerous only because it can embed itself deep inside Windows, allowing itself to remain hidden and this avoids easy detection.

“If you can control the MBR, you can control the operating system and therefore the computer it resides on,” said Elia Florio on security company Symantec’s blog.

Elia Florio also noted that many viruses dating from the days before Windows used the Master Boot Record to get a grip on a computer.

Once Mebroot is installed, the virus usually downloads other malicious programs such as keyloggers on to the computer. Keyloggers are the programs that assist remote coders in stealing confidential information such as online bank logins.

Now, most of these downloaded malicious programs remain dormant on a computer until the owner logs in to the online banking system that he/she usually accesses. Once this happens, the banking details are easily extracted using keyloggers.

Incidentally, the Russian virus-writing group, who wrote Mebroot is also believed to have written the torpig family of viruses that were successfully installed in over 2,00,000 computers worldwide.

As of now, security firm GMER has managed to produce a utility that will scan and remove the stealthy virus.

It is also known that computers which run Windows XP, Vista, Windows Server 2003 and Windows 2000 that are not fully patched are very vulnerable to the Mebroot virus.