Home Malware Programs Malware Shamoon

Shamoon

Posted: August 17, 2012

Threat Metric

Threat Level: 2/10
Infected PCs: 25
First Seen: August 17, 2012
OS(es) Affected: Windows

Shamoon Screenshot 1Shamoon, also known as Disttrack, is an unusually-destructive worm that overwrites the Master Boot Record (or MBR) to cause permanent damage to your operating system – making it essentially impossibles to boot your PC without repairing the OS. Shamoon's attacks also transmit basic information about your PC and appear to be targeting specific companies in China's energy industry. Because Shamoon, as a worm, includes features to distribute itself through removable and network-shared drives, containing a Shamoon infection to stop Shamoon from spreading to associated computers should be your foremost priority. SpywareRemove.com malware experts also recommend that you regain access to your PC by booting it from a removable device – afterward, anti-malware software should be able to delete Shamoon before Shamoon can cause any additional damage.

The Three Paths That Shamoon Takes to Hurt Your Computer

Shamoon is a multi-component worm that can be found organized into three distinct parts: a 'dropper' component that installs Shamoon, a 'reporter' component that sends information about the attack back to the criminal, and a 'wiper' that overwrites crucial system files. Because reports of Shamoon attacks have, so far, been limited to industrial targets, SpywareRemove.com malware researchers and others in the PC security industry surmise that Shamoon is likely the work of a criminal copycat group that was inspired by the Middle Eastern 'Flame' virus.

Additional details on Shamoon's components are noted as follows:

  • Shamoon's dropper component is compatible with various versions of Windows, including 64-bit versions of Windows 7. It conceals its files in a system folder (as well as network-shared locations that could allow Shamoon to infect other PCs) and creates a scheduled task that launches Shamoon along with Windows.
  • Shamoon's reporter sends information about its attack back to the original criminal group. Unusually for malicious software, Shamoon only attempts to send basic information – such as your IP address and which files were attacked – instead of gathering potentially-profitable data (such as bank account logins).
  • Lastly, SpywareRemove.com malware research team notes the functions of Shamoon's much-dreaded 'wiper' component. Initially, Shamoon's wiper replaces a system driver with its own driver as a means of bypassing file-reading and writing security measures. The replacement driver (which includes a digital signature) is exploited to attack your PC but isn't, by itself, malicious.

Second, Shamoon overwrites various files in your 'Users,' 'Documents and Settings,' 'Windows\System32\Drivers' and 'Windows\System32\Config' folders with an image file.

Shamoon's third and final attack overwrites your Master Boot Record, an attack that makes the PC inoperable.

Keeping Your Hard Drive Out of Shamoon's Data-Overwriting Clutches

Unless you use PCs in China's energy industry on a regular basis, your chances of being infected by Shamoon worms are low, since current Shamoon attacks appear to be distinctly-targeted at such companies. However, Shamoon's emergence does place emphasis on network security, since Shamoon can spread through local networks to other PCs without requiring manual installation. SpywareRemove.com malware experts also suggest that security precautions be taken for removable hard drive devices, which are often used by PC threats like Shamoon for secondary distribution vehicles.

Beyond small-scale mayhem, the motivations behind Shamoon's attacks remain murky, since Shamoon doesn't include functions that would result in profit for associated criminals. Some PC security experts speculate that Shamoon could be used in a multipart attack that uses separate malware for profitable attacks, with Shamoon's sole purpose being to delete all of the evidence and disable the PC afterward.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%System%\trksvr.exe File name: %System%\trksvr.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
f1.inf File name: f1.inf
Mime Type: unknown/inf
Group: Malware file
f2.inf File name: f2.inf
Mime Type: unknown/inf
Group: Malware file
Loading...