To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Rombertik virus trashes your PC if you try to remove it


New virus strain steals your data and wrecks your PC if you try and stop it

Security experts have identified a malicious new virus called Rombertik that steals personal details and wrecks your computer if you attempt to remove it. Unlike most modern viruses, which normally avoid drawing attention to themselves to continue quietly stealing data, Rombertik makes a notable nuisance of itself. 

Rombertik arrives in the form of a phishing attack, hoping to entice users to click on a malicious attachment. Sample messages used in the attack include a fake email from Microsoft, asking the recipient to click on an attachment to check a technical specification. That attachment is, of course, not the inncocent PDF it purports to be, but a screensaver applications that installs Rombertik, according to a blog post from Cisco researchers Ben Baker and Alex Chiu.

Rombertik is designed to steal passwords and other sensitive information entered into the web browser, which are sent back to a server controlled by the malware writers. The virus comes with 75 images and more than 8,000 redundant functions in order to try and fool security software into thinking its a legitimate app, according to the Cisco team.

The best internet security software of 2015

However, it turns nasty if its malicious activity is rumbled. At the point of installation, and before it’s even attempted to steal personal data, Rombertik will check to ensure its code isn’t being analysed by security software. If it detects that it is, the malware is programmed to destroy the PC’s Master Boot Record, putting the PC into an endless reboot loop where it does nothing but start up and shut down again.

If the malware can’t get to the Master Boot Record, it will instead encrypt all the files in the user’s home folder, effectively destroying the victim’s documents and other files. “Rombertik begins to behave like a wiper malware sample, trashing the user’s computer if it detects it’s being analysed,” says Cisco’s research team. “While Talos [Cisco’s security team] has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis.”

Up-to-date antivirus software should stop Rombertik being installed in the first place, but Cisco advises that companies should block certain attachment types on employees’ PCs to prevent this type of attack in the first place. Users should never click on email attachments unless they’re 100% sure of their authenticity. 


Read more