Reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, have recently surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A. Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.
It drops two primary components: TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. The files it overwrites are those with the following strings in the file name or code:
Once overwritten, these files can no longer be restored or opened. On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer.
Trend Micro is continuously investigating this threat. Watch this space for updates.
Update as of August 20, 2012 11:13 PM
Further analysis of TROJ_WIPMBR.A reveals that it overwrites disk partitiions with a damaged .JPEG file using its component file DRDISK.SYS. It also creates a file containing the number of files to be compromised. TROJ_DISTTRACK.A also uses TROJ_WIPMBR.A to communicate with its C&C Server.
Update as of August 21, 2012 02:43 AM
We also found a 64-bit version of the malware that exhibits similar behavior. Trend Micro detects the malware as WORM_DISTTRACK.A and its components as TROJ_WIPRMBR.A and TROJ_DISTTRACK.A.
With additional analysis from Christopher Daniel So