Our investigation and analysis of last week’s MBR wiper attacks in South Korea is still ongoing. This post summarizes our results and available protection.
The MBR wiper arrives as a dropper file (detected as TROJ_KILLMBR.SM), which drops four files onto the system:
- Agentbase.exe –the actual MBR wiper, also detected as TROJ_KILLMBR.SM
- ~pr1.tmp – a UNIX executable, detected as UNIX_KILLMBR.A
- Alg.exe – non-malicious file, related to PuTTY client
- Conime.exe – non-malicious, related to PuTTY client
However, before it wipes the MBR, it performs two additional routines: firstly, it terminates the processes of two Korean antivirus suites, if these are running on the affected systems. (Other variants we’ve seen also terminate a third antivirus product, which is also Korean.)
Secondly, it searches for saved SSH credentials from two known SSH clients – mRemote and Secure CRT. It searches the folders where these two clients save credentials, namely:
- %AppDataLocal%\Felix_Deimel\mRemote\confCons.xml (for mRemote)
- %Application Data%\VanDyke\Config\Sessions (for Secure CRT)
It checks the credentials stored at these locations at looks for accounts with root access to servers. If it finds any, the malware will attempt to log onto these servers. It checks the operating system of these servers; if it find any of the following operating systems it will upload the ~pr1.tmp file to this server and run it.
The actual MBR wiper overwrites the MBR with three repeated strings: PRINCPES, HASTATI. or PR!NCPES. Some variants of this wiper only trigger at or before 2PM on March 20, 2013; others may trigger only at 3PM or later. Deleting the MBR results in the system being unable to boot as normal.
For newer versions of Windows (Vista and later), some variants of the MBR wiper also deletes all files in all folders on the affected system as well. It restarts the PC, and users are then unable to use their machine.