Remove DistTrack.A aka Shamoon Malware Infects, Steals, Wipes MBR

Remove DistTrack.A aka Shamoon Malware Infects, Steals, Wipes MBR by Britec
Trojan: Win32/WipMBR.A

DistTrack is an overwriting malware rumored to be behind destructive actions in the Middle East. Some report it to be used in targeted attacks against companies in the energy sector.

I will register itself as a system service using the name of the next.
TrkSvr

If the date and time of the system is to meet certain conditions, I want to create the following files.
% Windir% system32 % variable% (194048 B, Win32/DistTrack.A) (x86)
% Windir% System32 Drivers drdisk.sys (27280 B) (x86)
% Windir% system32 % variable% (227840 B, Win64/DistTrack.A) (x64)
% Windir% System32 Drivers drdisk.sys (31632 B) (x64)

This driver is placed in the %DRIVERS% folder under the name drdisk.sys. It is apparently taken from an innocent application, and just used opportunistically to enable raw disk access. DistTrack uses raw disk access to destroy the Master Boot Record (MBR) on the hard drive, resulting in this chilling message on bootup:

Operating system not found.
If successful, the copy of the Trojan attack is taken from the machine.

The file

name will be one of the following.
caclsrv.exe
certutl.exe
clean.exe
ctrl.exe
dfrag.exe
dnslookup.exe
dvdquery.exe
event.exe
findfile.exe
gpget.exe
ipsecure.exe
iissrv.exe
msinit.exe
ntfrsutil.exe
ntdsutl.exe
power.exe
rdsadmin.exe
regsys.exe
sigver.exe
routeman.exe
rrasrv.exe
sacses.exe
sfmsc.exe
smbinit.exe
wcscript.exe
ntnw.exe
netx.exe
fsutl.exe
extract.exe

Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, Windows XP

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

https://www.surfright.nl/en

https://public.avast.com/~gmerek/aswMBR.htm

https://www.malwarebytes.org/

Leave a Reply