If you are so unlucky to be one of the victims of Seftad MBR ransomware, do not worry, this MBR infector does not work as what it claims. That is it does not encrypt you hard drive at all but it merely infects your hard disk drive MBR:
Original Clean MBR
Seftad infected MBR
Basically, it replaces the original MBR with the malicious one that is 3 sectors length. The original MBR will be stored at the 4th sector which is offset 0x800.
The password that user entered will be calculated as a word hash value and it can be found here:
The address 7FFA refers to the real-mode address in boot sector and the password is actually located at offset 0x5FA:
which is 0x3c01.
Nevertheless, this MBR infection can be easily solved by using Windows Recovery Console > 'Fixmbr'.
Signing off @x9090
2 comments:
You are becoming very pro in this dude. . :)
What a learner me
Thanks for supporting me dude :)
Post a Comment