Disttrack Malware Overwrites Files, Infects MBR

Reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, have recently surfaced. Trend Micro detects the said WORM_DISTTRACK.A. Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.

It drops two primary components: TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. The files it overwrites are those with the following strings in the file name or code:

  • document
  • picture
  • video
  • music

Once overwritten, these files can no longer be restored or opened. On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer.

Trend Micro is continuously investigating this threat. Watch this space for updates.


Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

Post from: TrendLabs | Malware Blog – by Trend Micro

Disttrack Malware Overwrites Files, Infects MBR

Read more: Disttrack Malware Overwrites Files, Infects MBR

Story added 18. August 2012, content source with full text you can find at link above.