Troj/JadMbr-A
Troj/JadMbr-A is a Trojan and the malicious MBR that is linked to the Chinese bootkit Guntior. Guntior, unlike other bootkits that compromise the I/O path by setting hooks in the miniport driver, hooks the disk class drivers (disk.sys) IRP_MJ_READ and IRP_MJ_WRITE. This approach is not as deep as setting hooks in the miniport driver. Typically the I/O path taken for an IRP flows from the storage class driver to the port driver which then interfaces with the miniport driver and back. So the miniport driver lies closer to the hardware than the storage class driver. Bootkits set their hooks in the miniport driver to reach maximum control. Generally, hooking at such levels is done to subvert the attempts of security tools to read and write to disk through storage filter drivers. This is to disguise the malevolent MBR and instead return a clean view of the MBR when read. The hooks don't actually exist inside the driver that the rootkit downloads but rather in an allocated region of kernel memory.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.