A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine. The modification to the MBR is like the old "Stoned" virus for DOS. However, in this case, the MBR (the code is shown in Figure 1) does nothing but display a banner in the center of the screen and freeze the PC (figure 2). We detect the new MBR as Trojan:DOS/Yonsole.A.


Figure 1: The MBR code.


Figure 2: The screenshot of bootup.


--Chun Feng