Issue:
Malicious code has been found in MBR file (Master Boot Record), how to proceed for further investigation.
Resolution:
Collect the MBR log from the infected machine for further investigation whether it is valid infection or false positive from F-Secure product.
Log Collection Instructions:
- Install Sector Inspector "secinspect.msi" on the infected machine and note the installation directory. Download link: https://www.microsoft.com/en-us/download/details.aspx?id=19470
- Locate installation directory C:\Program Files\Windows Resource Kits\Tools or C:\Program Files (x86)\Windows Resource Kits\Tools
- Execute "secinspect.exe" using cmd with the following argument. secinspect.exe > <log name>MBR.log
- Collect "<log name>MBR.log" that was generated
- Once the log has been collected, you can uninstall the tool using the same installer file "secinspect.msi" and choose uninstall option
Once "<log name>MBR.log" was collected, please submit through the Submit a Sample service portal (https://www.f-secure.com/en/web/labs_global/submit-a-sample) for further investigation. Select I want to give more details about this sample and to be notified of the analysis results. Malware team will investigate the log and give remediation instructions for further clean up.