Home / malwarePDF  

Trojan:Win32/WipMBR.A


First posted on 18 August 2012.
Source: Microsoft

Aliases :

Trojan:Win32/WipMBR.A is also known as W32/Dropper.gen8!Maximus (Command), TR/Crypt.FKM.Gen (other), W32/Troj_Generic.DKYIW (other).

Explanation :



Trojan:Win32/WipMBR.A is a trojan that drops a file, detected as Trojan:Win32/WipMBR.B, onto your computer, which replaces the master boot record (MBR) thus preventing you from accessing your operating system and using your computer.



Installation

On 32-bit operating systems, Trojan:Win32/WipMBR.A copies itself as the following file:

%SystemRoot%\system32\trksvr.exe

On 64-bit operating systems, Trojan:Win32/WipMBR.A drops the following file:

%SystemRoot%\system32\trksvr.exe - detected as Trojan:Win64/WipMBR.A

Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".

Once these files have been copied or dropped to your computer, the trojan sets the following times be be the same as that of the system file, "kernel32.dll":

  • Creation time
  • Last access time
  • Last write time


The trojan may set these times in an effort to hide the newly copied file.

It then marks the copied file for deletion the next time Windows starts.



Payload

Uses stealth

Trojan:Win32/WipMBR.A creates a service called "TrkSvr" with a dependency on the system service "LanmanWorkstation", so that the trojan will be forced to load at Windows start.

It can also copy and run the service on remote server (specified by command line arguments) through specific shares; it may do this to ensure infection on other computers on a network.

Drops other malware

The trojan runs a time check on your computer; if it determines that the time is after 08:08 on August 15 2012, it will drop and run a file in the %SystemRoot% folder, detected as Trojan:Win32/WipMBR.B, with one of the following file names:

  • caclsrv.exe
  • certutl.exe
  • clean.exe
  • ctrl.exe
  • dfrag.exe
  • dnslookup.exe
  • dvdquery.exe
  • event.exe
  • extract.exe
  • findfile.exe
  • fsutl.exe
  • gpget.exe
  • iissrv.exe
  • ipsecure.exe
  • msinit.exe
  • netx.exe
  • ntdsutl.exe
  • ntfrsutil.exe
  • ntnw.exe
  • power.exe
  • rdsadmin.exe
  • regsys.exe
  • routeman.exe
  • rrasrv.exe
  • sacses.exe
  • sfmsc.exe
  • sigver.exe
  • smbinit.exe
  • wcscript.exe


Trojan:Win32/WipMBR.A also drops another file as:

%systemroot%\system32\netinit.exe - detected as Trojan:Win32/WipMBR.gen!A

Once dropped, it sets the dropped file's creation time, last access time and last write time to be same as "kernel32.dll", and schedules a job to run the file immediately.

Additional technical details

Trojan:Win32/WipMBR.A creates a system service for the copied file with following configuration, and adds the new service as a dependency of the system service "LanmanWorkstation":

  • Service name: "TrkSvr"
  • Service description: "Enables the Distributed Link Tracking Client service within the same domain to provide more reliable and efficient maintenance of links within the domain. If this service is disabled, any services that explicitly depend on it will fail to start."
  • Service dependence: "RpcSs"


It can also copy and run the service on remote server (specified by command line arguments) through the following shares:

  • ADMIN$
  • C$
  • D$
  • E$
Related encyclopedia entries

Trojan:Win32/WipMBR.B

Trojan:Win64/WipMBR.A

Trojan:Win32/WipMBR.gen!A



Analysis by Shawn Wang

Last update 18 August 2012

 

TOP