The compromise flow of the viruses operations as explained by Talos.

A computer virus named Rombertik which avoids detection by making the PC it infects inoperative has been identified.

Rombertik is distributed via spam and phishing emails sent to its targeted victims. As used by many other attackers the virus is circulated through spam and phishing campaigns which use social engineering to trick users into downloading, unzipping or opening the attachments which eventually results in the computers compromise.

The virus is complicated and designed to infiltrate the user’s browser allowing the malware to view credentials and confidential information which can be fed back to the attackers server. Unlike other viruses that aim to target banking information, Rombertik amasses information from all websites indiscriminately.

The process that Rombertik uses to compromise systems is quite complex, it uses anti-analysis checks to stop the system picking it up. Once its checks have been completed, Rombertik will decrypt and install itself on the victims computer. After installation, it runs a second copy of itself and duplicates the second copy with the malware’s core operation.  Before Rombertik is able to start spying on users and feeding back their information it performs one final check to ensure it is not being analyzed by the systems memory.  If it fails this check, Rombertik will try to delete the Master Boot Record and restart the operating machine which renders it in an unbootable state.

Graham Cluley an online security expert said aggressive viruses such as Rombertik aren’t very common.

“It’s not the norm,” he said.

This is another example of how important good security practices are especially for businesses as this type of virus can leak important financial and business data without users even knowing.