Saturday, December 4, 2010

My PC Was Stoned by Ransom Seftad

If you are so unlucky to be one of the victims of Seftad MBR ransomware, do not worry, this MBR infector does not work as what it claims. That is it does not encrypt you hard drive at all but it merely infects your hard disk drive MBR:

Original Clean MBR

Seftad infected MBR

Basically, it replaces the original MBR with the malicious one that is 3 sectors length. The original MBR will be stored at the 4th sector which is offset 0x800.

The password that user entered will be calculated as a word hash value and it can be found here:

The address 7FFA refers to the real-mode address in boot sector and the password is actually located at offset 0x5FA:

which is 0x3c01.

Nevertheless, this MBR infection can be easily solved by using Windows Recovery Console > 'Fixmbr'.

Signing off @x9090


Chee Yau said...

You are becoming very pro in this dude. . :)

What a learner me

x9090 said...

Thanks for supporting me dude :)