This trojan was first discovered on the Fosshub server which was hacked on August 2, 2016. The attacker gained access to replace files such as Classic Shell and Audacity with a trojan in which tricks the user into thinking that they are downloading legitimate software. Some programs were also affected with this trojan. Some popular antivirus scanners such as VirusTotal do not detect this as a virus, which mislead users into thinking it is safe. Some users with experience in Windows, may find out that the software publisher is 'Unknown' when running the affected program.
When executed, a console window opens briefly and overwrites the MBR, and no additional actions were required. When rebooted, the user will come across that their master boot record in order to load Windows is overwritten and replaced by this text that follows:
AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MBR! IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE! DIRECT ALL HATE TO PEGGLECREW (@skids ON TWITTER) GREETZ: ECLIPSO, BUBSV, CONFLICT, WIZARDS OF THE COAST, JEWINVADER LAGFISH, ROLAND, JOSH BURRESS, JACOB GRUENTZEL, AF, TERIDAX JOHN CENA, ETHAN RALPH, VINCE (RIP)
This trojan won't work on GUID partitioned drives, or UEFI systems with Secure Boot enabled.
In order for the MBR to be recovered, the user must have their installation media in order to boot into recovery console.
Insert the installation media and reboot the machine. Open the boot menu screen and make it boot off from the installation media. After selecting your preferred language etc, click next and click on repair your computer. On Windows Vista and 7, let windows diagnose the issue first, when Windows detected an issue, it will ask you to restart. On Windows 8 onward, navigate to troubleshoot, then additional options, and click on startup repair. Let windows diagnose the issue, once Windows fixed the issue, it should reboot. Enter Windows setup again, but this time, hold down SHIFT + F10 to open the command prompt. From there, type in bootrec /fixmbr. You should see "The command completed successfully". Then type in bootrec /fixboot and reboot the machine.
- This virus is the subject of a template on this wiki, which is shown below.