Home / malware Trojan:Win64/WipMBR.A
First posted on 18 August 2012.
Source: MicrosoftAliases :
Trojan:Win64/WipMBR.A is also known as W32/Dropper.gen8!Maximus (Command), TR/Crypt.FKM.Gen (other), W32/Troj_Generic.DKYIW (other).
Explanation :
Trojan:Win64/WipMBR.A is a trojan that drops a file, detected as Trojan:Win64/WipMBR.gen!A, onto your computer, which replaces the master boot record (MBR) thus preventing you from accessing your operating system and using your computer.
Installation
On 64-bit operating systems, Trojan:Win64/WipMBR.A is dropped by Trojan:Win32/WipMBR.A as the following file:
%SystemRoot%\system32\trksvr.exe
Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".
Trojan:Win64/WipMBR.A sets the following times be be the same as that of the system file, kernel32.dll:
- Creation time
- Last access time
- Last write time
The trojan may set these times in an effort to hide itself.
It then marks the original file for deletion the next time Windows starts.
Payload
Uses stealth
Trojan:Win64/WipMBR.A creates a service called "TrkSvr" with a with a dependency on the system service "LanmanWorkstation", so that the trojan will be forced to load at Windows start.
It can also copy and run the service on remote server (specified by command line arguments) through specific shares; it may do this to ensure infection on other computers on a network.
Drops other malware
The trojan runs a time check on your computer; if it determines that the time is after 08:08 on August 15 2012, it will drop and run a file in the %SystemRoot% folder, detected as Trojan:Win64/WipMBR.gen!A, with one of the following file names:
- caclsrv.exe
- certutl.exe
- clean.exe
- ctrl.exe
- dfrag.exe
- dnslookup.exe
- dvdquery.exe
- event.exe
- extract.exe
- findfile.exe
- fsutl.exe
- gpget.exe
- iissrv.exe
- ipsecure.exe
- msinit.exe
- netx.exe
- ntdsutl.exe
- ntfrsutil.exe
- ntnw.exe
- power.exe
- rdsadmin.exe
- regsys.exe
- routeman.exe
- rrasrv.exe
- sacses.exe
- sfmsc.exe
- sigver.exe
- smbinit.exe
- wcscript.exe
Note: In the samples we analysed the dropped file was damaged. Unfortunately, this means we are unable to confirm the behaviour of the file.
Additional technical details
Trojan:Win64/WipMBR.A creates a system service for the copied file with following configuration, and adds the new service as a dependency of the system service "LanmanWorkstation":
- Service name: "TrkSvr"
- Service description: "Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. If this service is disabled, any services that explicitly depend on it will fail to start."
- Service dependence: "RpcSs"
It can also copy and run the service on remote server (specified by command line arguments) through the following shares:
Related encyclopedia entries
- ADMIN$
- C$
- D$
- E$
Trojan:Win64/WipMBR.gen!A
Trojan:Win32/WipMBR.A
Analysis by Shawn Wang
Last update 18 August 2012