Home / malwarePDF  

Trojan:Win32/WipMBR.B


First posted on 18 August 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/WipMBR.B.

Explanation :



Trojan:Win32/WipMBR.B is a trojan that overwrites your computer's MBR (master boot record) and other files, thus preventing you from accessing your operating system and using your computer.



Installation

Trojan:Win32/WipMBR.B is dropped and run by Trojan:Win32/WipMBR.A, with one of the following file names:

  • caclsrv.exe
  • certutl.exe
  • clean.exe
  • ctrl.exe
  • dfrag.exe
  • dnslookup.exe
  • dvdquery.exe
  • event.exe
  • extract.exe
  • findfile.exe
  • fsutl.exe
  • gpget.exe
  • iissrv.exe
  • ipsecure.exe
  • msinit.exe
  • netx.exe
  • ntdsutl.exe
  • ntfrsutil.exe
  • ntnw.exe
  • power.exe
  • rdsadmin.exe
  • regsys.exe
  • routeman.exe
  • rrasrv.exe
  • sacses.exe
  • sfmsc.exe
  • sigver.exe
  • smbinit.exe
  • wcscript.exe


Trojan:Win32/WipMBR.B drops the following file:

%SystemRoot%\system32\drivers\drdisk.sys

Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".

The trojan installs this file as a system device driver with the name "drdisk". This file is a clean driver from EldoS that provides "raw disk access".
Raw disk access refers to the underlying data on a disk - the actual ones and zeros that make up all of the data on that disk.



Payload

Overwrites the MBR

Trojan:Win32/WipMBR.B overwrites the MBR (master boot record). It also tries to overwrite data on non-system hard disk partitions and the files listed in f1.inf and f2.inf (see the Additional information section in this description) with part of a JPEG file.

Note: No image will be shown as the file is only part of a JPEG and not an actual image.

A non-system hard disk partition is a partition, or area, of a hard disk that does not contain system files or information related to the operation of your computer's operating system.

After overwriting the MBR and other files, it opens a command prompt and runs the command "shutdown -r -f -t 2" to shut down your computer.

Additional information

Trojan:Win32/WipMBR.B opens a command prompt and runs the following commands to get the list of files that it overwrites:

  • "dir \"C:\\Documents and Settings\\\" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf"
  • "dir \"C:\\Documents and Settings\\\" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i download 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i picture 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i video 2>nul >>f1.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i music 2>nul >>f1.inf"
  • "dir \"C:\\Documents and Settings\\\" /s /b /a:-D 2>nul | findstr -i desktop 2>nul >f2.inf"
  • "dir C:\\Users\\ /s /b /a:-D 2>nul | findstr -i desktop 2>nul >>f2.inf"
  • "dir C:\\Windows\\System32\\Drivers /s /b /a:-D 2>nul >>f2.inf"
  • "dir C:\\Windows\\System32\\Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf"
  • "dir f1.inf /s /b 2>nul >>f1.inf"
  • "dir f2.inf /s /b 2>nul >>f1.inf"


It stores this list in the following files, in the same location as Trojan:Win32//WipMBR.B:

  • f1.inf
  • f2.inf
Related encyclopedia entries

Trojan:Win32/WipMBR.A



Analysis by Shawn Wang

Last update 18 August 2012

 

TOP

Malware :

Family: