ID: IRCNE2012091611
Date: 2012-09-08
According to "zdnet", symantec has released a new warning after finding that an updated variant of malware Shamoon is in the wild. The new version -- detected by the company as W32.Disttrack -- wipes and destroys files as well as the master boot record (MBR) and changing the active partitions of an infected machine.
Instead of the previous version's methods of overwriting through 192KB blocks complete with a burning U.S. flag, the new variant uses the same size of block with randomly generated data. The wiping date is read from a .pnf file created on the system. Symantec says that the date is checked periodically, and then executes the wiper.
Scanning through a targeted list of 'priority' files, the malware seeks out a target through attempting to open and close the following files to determine access rights:
\\[TARGET IP]\ADMIN$\system32\csrss.exe
\\[TARGETIP]\C$\WINDOWS\system32\csrss.exe
\\[TARGETIP]\D$\WINDOWS\system32\csrss.exe
\\[TARGET IP]\E$\WINDOWS\system32\csrss.exe
According to Symantec's Security Response Team:
"If successful, it will then copy itself to the remote system32 directory and attempt to execute itself using psexec.exe. If unsuccessful, it will try to load itself as a remote service."
The new Shamoon variant targets filed within subfolders that contain the names download, document, picture, music, video and desktop. Once inside, it tries to spread itself within a local network through sharing. Typically, the malware gains control of the domain credentials itself which gives it access to every machine on a local domain.
Related Link:
New Shamoon Windows malware deletes computer contents, prevents reboot
- 2