Win32/Mebroot [Threat Name] go to Threat

Win32/Mebroot [Threat Variant Name]

Available cleaner [Download Mebroot Cleaner ]

Category trojan
Detection created Jan 15, 2008
Signature database version 10218
Aliases Backdoor.Win32.Sinowal (Kaspersky)
  Trojan.Mebroot (Symantec)
  StealthMBR!mbr.trojan (McAfee)
  BackDoor.MaosBoot (Dr.Web)
Short description

Win32/Mebroot is a trojan that installs Win32/PSW.Sinowal malware. The trojan hides its presence in the system. It uses techniques common for rootkits.


The system is typically infected through a drive-by download while a compromised website is being browsed.

The dropper (malicious installation program) is executed after the web browser has been exploited.

Win32/Mebroot replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code, as well as placing additional code to load and patch the following files:

  • ntldr
  • ntoskrnl.exe

This causes the trojan to be executed on every system start.

Information stealing

Win32/Mebroot is a trojan that installs Win32/PSW.Sinowal malware.

Win32/PSW.Sinowal is a trojan that steals passwords and other sensitive information.

The trojan is able to log keystrokes. The trojan can send the information to a remote machine.

Other information

The trojan can download and execute a file from the Internet. It can be controlled remotely.

Please enable Javascript to ensure correct displaying of this content and refresh this page.