A very dangerous file is circulating on the web and it kills your MBR. The file was discovered by a member of the Kaspersky forums. The file seems to be from China as seen in its properties.

<h4></h4>
Filename: kd.exe

File size: 40960 bytes
MD5...: cf583f75125d50dd0cab5a7f09fa5a2c
SHA1..: 11a17ea21a4f124adb1009babd1df4b6b06fb961
SHA256: 6fe93e0a93972a4ff22e62066780de0a6021ccd3e81fd751a5741c8195f49e54
SHA512: 80d1a0b6911e3f80a99ac1da5d14de2b920ddd11dfbe9080a49ee761ddf0a5ee<BR>090c654ad41059f323caf083a3ea7891f38eeb2778499803c06fdf605bcfe49f
PEiD..: Microsoft Visual C++ 6.0

QUOTE

File kd.exe_ received on 06.26.2008 15:07:53 (CET)
AhnLab-V3 2008.6.26.0 2008.06.26 -
AntiVir 7.8.0.59 2008.06.26 -
Authentium 5.1.0.4 2008.06.25 -
Avast 4.8.1195.0 2008.06.26 -
AVG 7.5.0.516 2008.06.25 -
BitDefender 7.2 2008.06.26 -
CAT-QuickHeal 9.50 2008.06.25 -
ClamAV 0.93.1 2008.06.26 -
DrWeb 4.44.0.09170 2008.06.26 -
eSafe 7.0.17.0 2008.06.25 -
eTrust-Vet 31.6.5907 2008.06.26 -
Ewido 4.0 2008.06.26 -
F-Prot 4.4.4.56 2008.06.25 -
F-Secure 7.60.13501.0 2008.06.24 -
Fortinet 3.14.0.0 2008.06.26 -
GData 2.0.7306.1023 2008.06.26 -
Ikarus T3.1.1.26.0 2008.06.26 -
Kaspersky 7.0.0.125 2008.06.26 Trojan.Win32.Small.bgo
McAfee 5325 2008.06.25 -
Microsoft 1.3704 2008.06.26 -
NOD32v2 3221 2008.06.26 -
Norman 5.80.02 2008.06.26 -
Panda 9.0.0.4 2008.06.26 -
Prevx1 V2 2008.06.26 -
Rising 20.50.32.00 2008.06.26 Harm.Win32.KillMBR.a
Sophos 4.30.0 2008.06.26 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.26 -
TheHacker 6.2.92.362 2008.06.26 -
TrendMicro 8.700.0.1004 2008.06.26 -
VBA32 3.12.6.8 2008.06.26 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.26 -

<h4></h4>
Process Monitor does reveal some interesting things. The program directly writes to your HDD.

Sequence: 7620
Date & Time: 6/26/2008 4:08:45 PM
Event Class: File System
Operation: IRP_MJ_WRITE
Result: SUCCESS
Path: \Device\Harddisk0\DR0
TID: 200
Duration: 0.0051853
Offset: 0
Length: 512
I/O Flags: Non-cached

The damage will be visible upon reboot as you will be presented with the following message:

Reboot and Select proper Boot device
or Insert Boot Media in selected Boot device.

At this point, the only thing we can do is start the Recovery Console from the OS disk. Usually you are presented with a screen where you have to enter your Windows installation and your admin password but here we get the following message:

The path or file specified is not valid.

At this point, we attempt a fixmbr command.

FIXMBR could not detect a master boot record signature.

The rest of the message can be safely ignored as reported here.

This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible. If you are not having problems accessing your drive, do not continue. Are you sure you want to write a new MBR?

After we did succesfully write a new MBR, let's remove the XP cd and reboot. Houston we've got a serious problem ... Our OS still doesn't boot and we see the following message:

Invalid partition table.

We need to start the Recovery Console again at this point. We still are not presented with the select OS installation and the admin password. We find ourselves at the root folder again. Typing the command dir gives us the following error message:

An error occured during directory enumeration.

Let's use diskpart and what information we can gather about the partition.

Partition1 [Unknown] - 65535 MB Free

All our data on the HDD are just "gone" ... As a matter of fact performing a fixmbr command was useless. When we first booted to the Recovery Console, a diskpart command would have revealed that we have no partition at all. I'm just curious about the 4 MB of difference between the 2 "free space" reports, 65535 MB & 65531 MB ....

Below is a screenshot the difference between a healty MBR and the "infected" MBR.

QUOTE

File copy_of_sector_00 received on 06.26.2008 17:26:45
AhnLab-V3 2008.6.26.0 2008.06.26 -
AntiVir 7.8.0.59 2008.06.26 -
Authentium 5.1.0.4 2008.06.25 -
Avast 4.8.1195.0 2008.06.26 -
AVG 7.5.0.516 2008.06.26 -
BitDefender 7.2 2008.06.26 -
CAT-QuickHeal 9.50 2008.06.26 -
ClamAV 0.93.1 2008.06.26 -
DrWeb 4.44.0.09170 2008.06.26 -
eSafe 7.0.17.0 2008.06.26 -
eTrust-Vet 31.6.5907 2008.06.26 -
Ewido 4.0 2008.06.26 -
F-Prot 4.4.4.56 2008.06.25 -
F-Secure 7.60.13501.0 2008.06.24 -
Fortinet 3.14.0.0 2008.06.26 -
GData 2.0.7306.1023 2008.06.26 -
Ikarus T3.1.1.26.0 2008.06.26 -
Kaspersky 7.0.0.125 2008.06.26 -
McAfee 5325 2008.06.25 -
Microsoft None 2008.06.26 -
NOD32v2 3221 2008.06.26 -
Norman 5.80.02 2008.06.26 -
Panda 9.0.0.4 2008.06.26 -
Prevx1 V2 2008.06.26 -
Rising 20.50.32.00 2008.06.26 -
Sophos 4.30.0 2008.06.26 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.26 -
TheHacker 6.2.92.362 2008.06.26 -
TrendMicro 8.700.0.1004 2008.06.26 -
VBA32 3.12.6.8 2008.06.26 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.26 -

Right now I have no idea if the damage is "real" ... meaning ... has the partition really been wiped out or can be undone.

A little bit more information on what exactly happened to our MBR and Partition Table thanks to antnet who was kind enough to have a peek at the file.

Quote author=antnet

As it shows in those fixmbr screen shots, the MBR is now invalid. One reason being that all boot records must have the signature 0x55AA as the last two bytes in the block. The partition table is also invalid, since most of it has been XORed with 0x1A (including the first byte of the signature) and the boot indicator is invalid.

Although fixmbr may have restored the boot loader program it can't do much about the corrupt partition table.

The malware doesn't change the boot code but sets the following bytes in the partition table:

Offset Value Description
0x1BE 0x50 boot indicator (0x80 = active, 0 = not active)
0x1BF 0 starting head (invalid?)
0x1C2 5 system indicator (extended partition)

Then from 0x1C3 to 0x1FE the bytes are XORed with 0x1A.

Quoted with his permission.

References to read: Chapter 32 - Disk Concepts and Troubleshooting.

kd.exe aka Trojan.Win32.Small.bgo / Harm.Win32.KillMBR.a is a nifty one. After doing some research, we notice that only the Partition Table has been affected. The Boot Indicator field has been changed, the System ID Value has been modified to 0x05 (Extended partition), Starting Head (normally 0x01) seems to be modified, Ending Cylinder, Head, .... have been XORed and so was the end of the MBR which is a 2-byte structure called a signature word or end of sector marker and it's always set to 0x55AA.

DO NOT RUN FIXMBR if you have been hit by this "infection" ... Why ?

QUOTE

Running Fdisk /mbr in MS-DOS overwrites only the first 446 bytes of the MBR, the portion known as the master boot code, leaving the existing partition table intact. However, if the signature word, the last two bytes of the MBR, has been deleted, the partition table entries are overwritten with zeroes. If an MBR virus overwrites the signature word, access to all partitions and logical volumes is lost.

Fixmbr command
The Recovery Console, a new troubleshooting tool in Windows 2000, offers a feature called Fixmbr. However, it functions identically to the Fdisk /mbr command, replacing only the master boot code and not affecting the partition table.

Our signature word 0x55AA has been "overwritten" by kd.exe since XORed !!!

<h4></h4>
When doing a google search many tools allow you to fix mbr & partition issues but with 1 major glitch ... you have to run them from inside your OS ... whoops that sucks if you can't boot into XP and if you can't slave the disk to a healty system. Linux boot disks are an alternative and I will try to cover one in my next post. The rest of this post will be dedicated to a preventive measure: backing up your existing MBR record using a floppy and restore the MBR if you are hit by this nasty.

First you need to make a DOS boot disk as following:

1. Insert a floppy disk into the floppy drive.
2. Click Start > My Computer.
3. Select the floppy drive letter - usually A:
4. Right-click A: and select Format.
   
5. Put a checkmark next to "Create an MS-DOS startup disk".
   
6. Click Start.
7. Ok the warning box.
   
8. Once the format completed, you will get an OK box.

Next you need to download a program able to make a backup of your MBR. We will use mbrsaver included into dsrfix which is used on Dell computers usually due to their special boot code.

1. Download dsrfix.zip to your desktop.
2. Extract all files to into a folder on your desktop - example a folder called dsrfix.
   
3. Open the newly created folder and copy mbrsaver.com to your floppy. In the example we used the Send To command but you can use copy / paste or drag and drop to perform this.
   

Save the MBR.

1. Shut down Windows and reboot.
2. Change your boot sequence in the BIOS if not set to boot from floppy - usually triggerd by hitting DEL or F2 at system restart.
   
3. The option is generally found under Boot Device Priority. Make the needed changes and save the new configuration.
   
   
   
   
   
4. Now your system should boot from the newly created floppy. At the command prompt type: mbrsaver /s mymbr.bin followed by enter. You will get a successfully saved message.
   
5. Remove the floppy from your drive and put it in a safe place.

Using your MBR backup with this particular "infection".

1. Insert your backup floppy into the computer. Make sure your BIOS is set to boot from it.
2. At the command prompt type: mbrsaver /r mymbr.bin followed by enter. You will be asked 3 questions. Since only the partition table is affected, we dont need to restore the boot code or the disk id. So answer N', 'N', 'Y' to MBRsaver's three prompts, then confirm your choices by answering 'Y' to the final prompt.
   
3. Remove the floppy and reboot. Your OS should load just fine now.

In the next part we will cover:

• Saving your MBR using a Bootable CD / USB pendrive.
• Fixing the Partition Table using a Linux boot CD (if possible).

mbrsaver.com is a pain to run of a CD as you can't specify the drive where the file should be saved. Of course you could always create a bootable cd that includes DOS USB drivers, copy mbrsaver on the USB pendrive / key and you might be able to fix that. Some good DOS USB drivers are available here. Scroll down and look for USB-DOS files on the left. They are the Panasonic generic drivers. Do a google search on bootable CD and you will find some good ressources. Just make sure that mbrsaver.com is on the flash drive and not on the cd.

Flash drives are inexpensive and most computers can boot from them. Couple of things to consider first:

1. The PC has to support booting from a USB flash drive. There may be anywhere from 1-3 items to change in the BIOS to make this possible assuming your BIOS supports it. Some BIOS may refer to your flash drive as a USB floppy, USB Flash Disk, RMD-FDD, USB ZIP, USD HDD, USB CD-ROM. A little trial and error may be needed here to make sure you have chosen the right boot device. Consult you motherboard manual how to set up support for USB booting. You might need to enable Legacy USB support too for this. In some BIOS (mainly AMI) you might need to change the order of the devices listed under Removable Drives also.
2. Next thing you will need to do this is a compatible USB flash drive. Most drives are bootable but some are not. Internet is your best source here. Try to find a drive which has been used successfully in the past, like Corsair's Flash Voyager. I have tried myself with a couple of drives and I didn't encounter any troubles except with the brand NEO.
3. The flash drive must contain the boot/system files.
4. The flash drive must have bootsector area. This is done with special utilities.

<h4></h4>
If you are the owner of a Flash device that has 2 partitions, one that acts as a floppy and the rest as a removable drive, they you are very lucky.

1. Simply right click the "floppy part", select format and put a checkmark next to "Create an MS-DOS startup disk".
   
2. Download dsrfix.zip to your desktop.
3. Extract all files to into a folder on your desktop - example a folder called dsrfix.
4. Open the newly created folder and copy mbrsaver.com to your Flash drive.

<h4></h4>
MKBT & bootsector / system files.

1. Insert your flash disk.
2. Click Start > My Computer.
3. Select the USB Flash drive letter and right click on it. Select Format. From the File system dropbox select FAT - don't leave it in FAT32.
   
4. Download MKBT from here.
5. Create a new folder called mkbt20 at the root of your HDD - usually c:\ - thus the folder will be c:\mkbt20
6. Extract the files from the zip archive into the newly created folder.
7. Download sysfiles.zip (boot sector image and system files) form here.
8. Unzip to c:\mkbt20.
9. The content in c:\mkbt20 should look like this.
   
10. Take note of the letter given by the OS to your flash drive, in our tutorial this is F: but it may vary on your system configuration.
11. Click Start > Run
12. type cmd.exe in the edit box followed by enter.
13. A command prompt window will open.
14. Type the following commands followed by enter (Assuming you have extracted the files to c:\mkbt20).
    • cd c:\mkbt20
    • mkbt -x bootsect.bin F:
      
    Note: Ignore the type mismatch error msg.
15. Open the c:\mkbt20\Files folder and copy all files to your USB flash drive.

<h4></h4>
HP Drive Key Boot Utility.

1. Download a floppy image (floppy.zip) from here.
2. Unzip to your desktop.
3. Download HP Drive Key Boot Utility from here.
   Note: HP download links change very often, just do a search for cp006049.exe or Drive Key Boot Utility on their website.
4. Install the program by clicking on cp006049.exe.
5. After installation the utility will place a shortcut in HP System Tools in the Programs start menu folder.
6. Place your USB drive key in an available USB port and start the progam. Follow the steps as seen in the screenshots.
   
   
   
   
   
   
   
7. Once arrived at the Image key screen, navigate to your desktop and select Floppy.IMG
   
8. Follow instructions to complete the creation of your bootable USB Flash drive.

<h4></h4>
Save the MBR.

1. Connect your Flash drive if not yet done, shut down Windows and reboot.
2. Change your boot sequence in the BIOS if not set to boot from USB - usually triggerd by hitting DEL, F2 or F10 at system restart.
3. At the command prompt type: mbrsaver /s mymbr.bin followed by enter. You will get a successfully saved message.
   
4. Remove the Flash drive from your system and put it in a safe place.

Using your MBR backup with this particular "infection".

1. Insert your backup Flash drive into the computer. Make sure your BIOS is set to boot from it.
2. At the command prompt type: mbrsaver /r mymbr.bin followed by enter. You will be asked 3 questions. Since only the partition table is affected, we dont need to restore the boot code or the disk id. So answer N', 'N', 'Y' to MBRsaver's three prompts, then confirm your choices by answering 'Y' to the final prompt.
   
3. Remove the Flash drive and reboot. Your OS should load just fine now.

<h4></h4>
If your USB Flash drive shows up as C:\ instead of A:\ your will have to adjust the mbrsaver options.

mbrsaver /s /X mymbr.bin or mbrsaver /s /X mymbr.bin

Where X is:

/81 Directs mbrsaver to access second hard disk.
/82 Directs mbrsaver to access third hard disk.
/83 Directs mbrsaver to access fourth hard disk.

/80 This is the default if no disk number is entered. Disk numbers follow the bios convention of referencing hard disks, using hexadecimal codes 80-83h.
______________________________

If you can't boot with 1 of the 3 methods described above, try to set up your flash drive as a Hard drive instead of a Floppy with the HP Drive Key Boot Utility. You will have to use the /81 switch in mbrsaver when performing this.

<h4></h4>
If you didn't backup your MBR before you got hit by this nasty, you will have quite some work to do while "attempting" to fix the mess. This part is for advanced users and tested on Windows XP Service Pack 2 only. The procedure below comes with ABSOLUTELY NO WARRANTY - USE AT YOUR OWN RISK.

I opted for TestDisk included on the RIP Linux. The very latest version of TestDisk is included in that distro and we need an alternative OS also to fix our Partition Table.

You will need a machine with a CD/DVD burner and your burning software must be capable of creating a CD from an ISO image. Nero and Roxio EasyCD Creator include that capability. If you don't have either of those, ImgBurn will to the trick.

1. Download the Bootable CD ISO (RIPLinuX-6.0.iso) from here. It's the first iso image on the page.
2. Launch your burning software and burn the iso. Image should be burned in Data Mode 1 - RAW 2048.
3. I've used Nero to perform that.
   • Discard the wizard, select File > Open.
   • Navigate to RIPLinuX-6.0.iso and select Open
   • Make sure that Finalize CD is checked and burn the iso.
4. Insert the newly created CD in your PC and change your boot sequence in the BIOS if not set to boot from CDRom - usually triggerd by hitting DEL, F10 or F2 at system boot.
5. Leave the default option of Boot Linux rescue system! if you need to change your keymap (keyboard layout if non English OS) otherwise select Boot Linux rescue system! (skip keymap prompt).
   
6. Linux will now detect your hardware and load the needed drivers. All small menu will be showed as seen below. Type root next to login followed by enter.
   
7. At the # prompt, type pdmenu followed by enter.
8. Using the arrow keys, highlight Partion tools menu et hit enter.
   
9. Using the arrow keys, highlight Testdisk - scan & repair partitions et hit enter.
   
10. TestDisk will now start. Use the arrows to highlight No Log and hit Enter.
11. After a small analyse, you will be presented with a list of the media present on your PC. Normally the first selection should be your primary disk, the one we want to repair. Next select Proceed.
    
12. Leave the default selection of Intel and press enter.
    
13. Leave Analyse highlighted and hit enter.
14. At this stage, the program should notify us that the endmark 0xAA55 is missing. Leave Quick Search selected and hit enter.
    
15. Answer N for No at the Vista question since we are talking about XP here.
16. You might get a warning about heads per cylinders ... just continue.
17. Normally you should not change anything on the next screen. Just make sure that the partition is marked as Primary bootable shown by the * in front of the System ID Value.
    
18. If you want, as a test, hit P to list files. If you can see them, you should be ok. Return to the previous screen. Hit Enter to continue.
19. Using the arrow keys, select Write and confirm your choice on the next screen with Y. At the "You will have to reboot" message ... Ok that by hitting enter.
20. Using the arrow keys, select Quit and again Quit.
21. Highlight Main Menu followed by Enter.
22. Select Exit and hit enter.
23. At the # prompt, type reboot.
24. Linux will unmount etc ... and reboot your PC.
25. Hit DEL, F10 or F2 to enter the BIOS and remove the Linux CD. Leave the option to boot from your CD/DVD and follow instructions below.

Note: some screens will be different, based on your hardware and filesystem.

Now ... TestDisk does mark the MBR with its own code. I did prefer to restore the default one because windows will complain about new hardware found etc ...

1. Insert your XP cd.
2. Boot to the recovery console - Starting the Windows Recovery Console.
3. After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.
4. Type fixmbr at the prompt and confirm your choice.
5. Type exit to reboot the PC. Remove the XP bootdisk and boot into Windows normally.

If everything went smoothly you will boot without problems. Out of precaution, run a chkdsk /f from the cmd prompt. When using an NTFS volume you will be prompted to schedule on next reboot. Answer yes and reboot the PC.

Many things can go wrong when performing heavy repair tasks like this. Opt for security and play safe. Backup your MBR before it's too late. Backup your personal files from time to time. Use imaging software like Ghost or Acronis etc ... to save your complete system.