Various wipers / MBR-modifying malware
Wipers made their first appearance way back in 2008 when Narilam, a wiper malware, was used in targeting business and financial software in Iran. Wipers are malicious programs that cause data destruction on its victim machine. Unlike other malware whose aim is to achieve some sort of financial gain, wipers’ main motivation is to destroy all its targeted files/directory on a system or to replace the content of its target with a malicious content. As wipers evolved, malware authors decided to tweak the functionality of wipers and make these kinds of malwares to rewrite into master boot records (MBR).
Currently, a “Coronavirus.exe” is spreading amongst Windows users. This malware’s name is very much connected to the COVID-19 pandemic. At first, this malware will drop several hidden helper files and batch files in a temporary folder in the computer system. Then, while still remaining unnoticed, it will disable Windows Task Manager and User Access Control and place itself inside the Startup registry. Lastly, upon reboot of the victim’s machine, a pop-up message box that tells victims to “not wast [sic] your time” because “you can’t terminate this process!” will be executed and won’t be terminated because the task manager was disabled. Meanwhile, the original MBR is being overwritten with a new malicious code.
Another variant of this MBR-modifying malware was discovered by one of our analysts which at first may seem to be a simple screenlocker, but unknown to the user, is also a malware infecting the MBR.Continue reading