New Trojan ‘Shamoon’ leaves PCs unbootable

[Jack]

We’re getting news of a particularly nasty Trojan targeting Windows-based PC today, which anti-virus companies have dubbed “Shamoon.” Like most malware, Shamoon exists to steal data from computers connected to the Internet, but what it does afterward is quite evil. In an effort to cover its tracks, it begins deleting files, including the Master Boot Record. This, naturally, leaves the PC unbootable, and can cause some major headaches. The malware itself is a 900KB file that uses many encrypted resources, as you can see below.

Shamoon doesn’t seem to be widespread, as Seculert reports that it uses a two-stage attack, apparently targeting “several specific companies in a few industries.” Shamoon works its way into a computer that is directly connected to the Internet, and then from there begins to spread to other computers connected to the same network. As stated above, once it’s done stealing what it wants, it begins to cripple the PCs it infected, reminding Kaspersky of the Wiper malware, which attacked PCs in Iran earlier this year and in turn led to the discovery of Flame.

Kaspersky says that it isn’t Wiper, however, pointing out a few key differences. With those differences apparent, Kaspersky says that Shamoon is likely “a copycat, the work of a script kiddies inspired by the story” of Wiper. It’s good to know that Wiper isn’t becoming more widespread, but at the same time its scary that there are those inspired by Wiper’s level of destruction.

Read more on SlashGear

 

[Deleted member 178]

Crippling the victimized system is a good way to cover tracks, i wonder when will enter the malware that will reformat the system

 

[Moose]

Question! Please! Does Kaspersky have a virus-removal tool for Shamoon?

http://www.kaspersky.com/virus-removal-tools/

 

[Malware1]

Sample uploaded here: http://malwaretips.com/Thread-Trojan-Horse-Shamoon

 

[Moose]

Seem to attack the MBR = Master Boot Records. What is your opinion of
MBRWizard?
http://firesage.com/mbrwizard.php
and/or
TeraByte Unlimied:
http://www.terabyteunlimited.com/history-bootit-bare-metal.htm

for protection of MBR =Master Boot Records? :huh:

 

[Deleted member 178]

my MBR is protected by a backup image

 

[Ink]

Does this affect Windows 8 if using GPT?
http://www.infotechguyz.com/windows8/Windows8GPT.html

Or could some explain what GPT is, if I'm wrong. Thanks

 

[Moose]

What is your opinion on the following below:

Seem to attack the MBR = Master Boot Records. What is your opinion of
MBRWizard?
http://firesage.com/mbrwizard.php
and/or
TeraByte Unlimied:
http://www.terabyteunlimited.com/history...-metal.htm

for protection of MBR =Master Boot Records?

 

[Moose]

Update! On Shamoon!

http://blogs.computerworld.com/malware-and-vulnerabilities/20851/malware-wars-heat-shamoon-steals-wipes-and-leaves-pcs-unbootable

 

[Moose]

Earth!

I am not sure if Shamoon effect Windows 8! But I posted a link to read about it.

 

[Jack]

If guys see a computer infected with this trojan a "fixmbr" command from a Windows CD should fix the PC.
The good news is that the virus is not widespread so we should be good for the time being.... Nevertheless a very nasty attack!

 

[Littlebits]

Update(17 Aug 2012): During the past 24 hours, we have collected telemetry from our users on Trojan.Win32.EraseMBR.a sightings. So far, there are only two reports, both from China, which appear to be security researchers. So we can conclude that the malware is not widespread and it was probably only used in very focused targeted attacks.

http://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work

So don't worry your are more likely to win the lottery 3 times in a row before ever coming in contact with this malware.

Enjoy!!