New Shamoon malware variant in the wild
Symantec has released a new warning after finding that an updated variant of malware Shamoon is in the wild. The new version -- detected by the company as W32.Disttrack -- wipes and destroys files as well as the master boot record (MBR) and changing the active partitions of an infected machine.
Instead of the previous version's methods of overwriting through 192KB blocks complete with a burning U.S. flag, the new variant uses the same size of block with randomly generated data. The wiping date is read from a .pnf file created on the system. Symantec says that the date is checked periodically, and then executes the wiper.
symantec sharnoon malware
Scanning through a targeted list of 'priority' files, the malware seeks out a target through attempting to open and close the following files to determine access rights:
\\[TARGET IP]\ADMIN$\system32\csrss.exe \\[TARGET IP]\C$\WINDOWS\system32\csrss.exe \\[TARGET IP]\D$\WINDOWS\system32\csrss.exe \\[TARGET IP]\E$\WINDOWS\system32\csrss.exe