Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Reports of Disttrack/Shamoon malware, which overwrites files and infects the Master Boot Record (MBR) of infected systems, have recently surfaced. Trend Micro detects the said malware as WORM_DISTTRACK.A. Currently, its arrival method is still undetermined. It is found to spread to other computers by dropping copies of itself in administrative shares. Its dropped copy may use file names such as clean.exe or dvdquery.exe.

    It drops two primary components: TROJ_WIPMBR.A and TROJ_DISTTRACK.A. TROJ_WIPMBR.A gathers the files to be infected in the computer. The files it overwrites are those with the following strings in the file name or code:

    • document
    • picture
    • video
    • music

    Once overwritten, these files can no longer be restored or opened. On the other hand, TROJ_DISTTRACK.A serves as the communicator. TROJ_WIPMBR.A passes the list of files it infects to TROJ_DISTTRACK.A. TROJ_DISTTRACK.A then creates a connection to an IP and sends the list of files, along with the IP address of the infected computer.

    Trend Micro is continuously investigating this threat. Watch this space for updates.

    Update as of August 20, 2012 11:13 PM

    Further analysis of TROJ_WIPMBR.A reveals that it overwrites disk partitiions with a damaged .JPEG file using its component file DRDISK.SYS. It also creates a file containing the number of files to be compromised. TROJ_DISTTRACK.A also uses TROJ_WIPMBR.A to communicate with its C&C Server.

    Update as of August 21, 2012 02:43 AM

    We also found a 64-bit version of the malware that exhibits similar behavior. Trend Micro detects the malware as WORM_DISTTRACK.A and its components as TROJ_WIPRMBR.A and TROJ_DISTTRACK.A.

    With additional analysis from Christopher Daniel So

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • amir

      Hi ,

      at WORM_DISTTRACK.A page do not write infected windows 7 !


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice