Beware of the Rombertik virus

A vicious, yet serendipitously topical computer virus is making the rounds, and it has an added capability that can cause you great difficulty and lost data.

Known as Rombertik, it does what most viruses do: Infects your machine, steals data, remains hidden, that sort of thing. Mundane, in the parlance of malware.

But it has an additional capability that makes it infinitely more insidious: If it determines that is is being searched for or otherwise at risk of being detected, it will delete what is known as the Master Boot Record (MBR) of your machine. The master boot record is what lets your machine boot, and if it is damaged or missing you’ll end up in an endless reboot cycle.

The MBR can be repaired relatively easily, but that doesn’t eliminate the virus. Only a windows clean install, or recently-updated antivirus software will do, and the latter may not work since that’s what the virus is watching out for in the first place.

According to the linked article, it also installs decoy functions to distract antivirus software, can encrypt your home folder, and overwhelm system memory in an attempt to stay hidden.

The vector of the virus is an attachment on a phishing email. I hope we all know never to open attachments from people you don’t know. If you don’t do that, you’ll be safe.

Many of the articles I have read about it, including the one I linked to earlier, say that the virus “destroys computers.” That’s not true. It does significant damage to the OS, but not to the underlying hardware, so don’t let journalistic hyperbole worry you more than it should. But absolutely do be careful with unknown emails!

Excruciating detail can be found at the original report on Rombertik from Cisco’s blog.