'Coronavirus' malware can wreck your PC: What to do

Computer rendering of coronavirus organism, tinted orange.
(Image credit: CI Photos/Shutterstock)

UPDATED April 3 with easier method of restoring deleted Master Boot Record.

As if things weren't already bad enough, a new strain of coronavirus will try to kill your computer.

This isn't the real, biological coronavirus, of course. According to researchers at SonicWall, who posted a report Tuesday (March 31), it's malware that borrows the coronavirus name, and the filename COVID-19.exe, to scare victims, to amuse its creators and possibly to get publicity.

This digital coronavirus can arrive via a malicious web download, an email attachment or a fake application update. If you get hit by it, your Windows PC will go through a few steps and pop up an image of an actual coronavirus before it reboots into a gray screen displaying the words, "Your computer has been trashed."

Your Master Boot Record (MBR), the section of your hard drive that tells the computer's hardware how to boot up, will have been wiped and your computer will essentially be stuck on the gray screen.

How to fix your Master Boot Record

Don't panic just yet. Chances are the data on your C drive and other Windows partitions will remain intact. But you'll need to restore the MBR using special tools, and then you'll need to clean the machine of the malware.

Here's an explainer on how to fix the MBR on our sister site Laptop Mag. You'll have to use Microsoft's own Windows installation media to boot the machine into a rescue configuration. 

If you don't have a Windows installation disk or flash drive lying around, you'll need another PC in good working order to download and create the media. 

After you fix the MBR, you should probably use bootable "rescue disk" antivirus software to scan and clean the C drive before you get back to regular business. Otherwise, any time-bombs the Coronavirus malware put on your hard drive may go off. 

Norton, Sophos and Trend Micro still offer updated rescue-disk downloads. Once again, you'll need a separate PC to download the software and put it on a flash drive or optical disk.

UPDATE: Researchers at Avast had a look at the "Coronavirus" malware's source code and discovered that its developer(s) built in a fail-safe mechanism to easily restore the original MBR: Press Ctrl + Alt + Esc during startup.

The malware creates a backup of the original MBR before it wipes it, and that keyboard sequence accesses the backup.

However, once you've successfully got your PC back up and running, you'll need to remove the malware on your hard drive because otherwise it will try to wipe the MBR again. 

You can do that with regular antivirus software, but you'll also want to locate and delete the folder called "COVID-19" on your primary Windows drive (the C drive for most people).

Meanwhile, Bleeping Computer found a variant of the same malware, but this time it's called "RedMist" and shows you a picture of Squidward from "SpongeBob SquarePants" instead of a coronavirus. Like the "Coronavirus" malware, this too can be bypassed by hitting Ctrl + Alt + Esc during startup.

How to avoid the 'Coronavirus' malware

To prevent getting hit by this malware in the first place, use one of the best antivirus programs to detect and stop it before it infects your PC. Most of the leading antivirus signature-detection engines already will spot this malware, according to the latest snapshot from VirusTotal.

As always, don't open email attachments before your antivirus software scans them. Don't click on random links that show up in social media, in emails, in text or chat messages. Just assume the bad guys are out to get you, because they are.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.