OverwriteMBR
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 3 |
First Seen: | December 28, 2016 |
Last Seen: | February 25, 2020 |
OS(es) Affected: | Windows |
OverwriteMBR is a threat infection that is used to overwrite the victim's MBR (Master Boot Record). This has severe consequences on the affected computer. OverwriteMBR was saw being used in a campaign against cheaters of a popular online game.
Table of Contents
The Threat Campaign Carried out byOverwriteMBR
Counter-Strike Global Offensive (CS:GO) is a popular online game that is plagued by cheaters, who use hacks to improve their chances against other players. External Counter-Strike is distributed as a program that allows players to see their online enemies through in-game obstacles and walls. These tools may be distributed on the website Mpgh.net. OverwriteMBR is currently being used to target cheaters that download this product. According to the file names and messages associated with OverwriteMBR, the creator of External Counter-Strike is someone that is targeting cheaters and Mpgh.net itself in an attempt to stop cheating on CS:GO. External Counter-Strike includes a PowerShell script that installs OverwriteMBR on any computer caught cheating at this online game.
How OverwriteMBR Attacks a Computer
When cheaters download the External Counterstrike program contained in a ZIP archive named ExternalCounterstrike.zip, they are asked to extract the contents to their desktops and then run an SLN file. This file includes two folders. When the SLN file is loaded, a project named 'MBR Virus.dat' runs. This project contains a PowerShell command that loads OverwriteMBR on the victim's computer. Windows executes these commands automatically. OverwriteMBR causes Windows to download an executable file named 'fuck_mpgh.exe' from a remote server onto the system drive. Once this file is executed, it overwrites the infected computer's MBR.
The MBR is used during startup by Windows to load all of the drivers, drives and system files. When OverwriteMBR overwrites the MBR, it causes the computer to become unable to load the Windows operating system. When the compromised computer starts up, instead of loading Windows, the following message will appear:
'Multiplayer Game Hacking
As you reboot, you find that something has overwritten your MBR!
It is a sad thing your adventures have ended here.
This is the result of the incompetent file analyzers from MPGH.
If you need cheats, use something else than MPGH.
Greetings from ULLR. <3'
Online Cheating and Threats Like OverwriteMBR
Although there is no justification for the creation and distribution of threats, it is important to note that cheating tools and cracked software are among the most common ways of distributing threats online. Computer users should use legitimate software from reliable sources and avoid pirated software, or third party cheating tools downloaded from shady forums or low-quality websites. While OverwriteMBR is used in a spiteful way to disable computer users' PCs, the most common threats distributed these way are typically used to collect the computer users' data (such as online banking passwords) or gain access to the victim's computer automatically. A reliable security program that is fully up-to-date should be capable of detecting and deleting OverwriteMBR before it carries out its attack.
There are connections between OverwriteMBR and other incidents targeting online cheaters or similar websites used to distribute this content. An incident over the summer of 2016 involving Fosshub had numerous elements in common with the OverwriteMBR campaign. The OverwriteMBR boot message is nearly identical to the one displayed when a hacker related to 'Peggle Crew' gained access to Fosshub and included threats inside files that were being distributed on this Web page. The threat that was inserted into Fosshub used an approach identical to OverwriteMBR, overwriting the infected PC's MBR and then displaying a custom message that is very similar to the one associated with OverwriteMBR. Computers infected by OverwriteMBR and similar threats become nearly impossible to repair, often requiring a fresh reinstallation of Windows.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.