Home / malware Trojan:Win32/WipMBR.gen!A
First posted on 18 August 2012.
Source: MicrosoftAliases :
Trojan:Win32/WipMBR.gen!A is also known as TROJ_DISTTRACK.A (Trend Micro), Trojan.Win32.Erase.MBR.a (Kaspersky), Trojan.Win32.Erase.MBR (Ikarus), W32.DistTrack (Symantec).
Explanation :
Trojan:Win32/WipMBR.gen!A is a trojan that connects to a remote host and may download arbitrary files.
If this threat is detected on your computer, it is likely that your computer is also infected with Trojan:Win32/WipMBR.B. This trojan overwrites your computer's MBR (master boot record) and other files, thus preventing you from accessing your operating system and using your computer.
Installation
Trojan:Win32/WipMBR.gen!A is dropped by Trojan:Win32/WipMBR.A as the following file:
%SystemRoot%\system32\netinit.exe
Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".
Once dropped, the file's creation time, last access time and last write time are set to be the same as that of the system file "kernel32.dll". Trojan:Win32/WipMBR.A schedules a job to run the file immediately.
Payload
Contacts remote host
Trojan:Win32/WipMBR.gen!A contacts a private C&C (command and control) server with the following URL:
hxxp://10.1.252.19/ajax_modal/modal/data.asp?mydata=<content/line count of "%SystemRoot%\inf\netft429.pnf">&uid=<local IP>&state=<system tick count>
This URL refers to a local IP address, which could indicate that a second machine is infected on the computer and is acting as the C&C server.
Note: <system tick count> is a precise measurement of the number of milliseconds which have elapsed since your computer was last started.
Trojan:Win32/WipMBR.gen!A may download an additional file from the C&C server to the following location:
%SystemRoot%\Temp\filer<random number>.exe
Note: At the time of analysis, the C&C server was inaccessible.
Related encyclopedia entries
Trojan:Win32/WipMBR.A
Trojan:Win32/WipMBR.B
Analysis by Shawn Wang
Last update 18 August 2012
