Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Wiper.A: An Analysis of the Destructive and Dangerous Malware Targeted at Sony Pictures Entertainment

Our analysis determined that Wiper.A is a Trojan/Backdoor malware that may also appear under the aliases “Destover” and “NukeSped”. In addition to wiping and deleting everything on the Windows system, it can also download and install other malicious files. The threat can arrive on computers as an attachment to spammed emails, be downloaded from compromised websites, or be installed as part of a drive-by-download, where another malicious threat then downloads and installs the Wiper.A file. The installation and automatic startup technique involves dropping a copy and registering itself as a Windows service, so the malware can then automatically execute during a Windows start-up.

Once executed, this threat drops a copy of itself as “igfxtrayex.exe” in the same folder where it is executed. It then installs itself as a Windows “Service” to automatically execute upon Windows startup.

Service name : brmgmtsvc

Display name : Backup and Restore Management Service

Startup Type : Automatic

Service name : WinsSchMgmt

Display name : Windows Schedule Management Service

Startup Type : Automatic

Once installed and running, it tries to connect specific hosts by enumerating the IP range 43.130.141.xx. It also creates the file %windir%system32net_ver.dat

In addition this threat downloads the following files:

<current folder>taskhost<xx>.exe

where xx is a random 2 letter combination.


This Backdoor Trojan actually listens on port 2332 and waits for the hacker or the threat author to connect and gain access to the infected system. The threat then enumerates all folders in the system root folder (usually drive C:) and deletes all the files in them.

CYREN will provide more detailed information as we continue our analysis.

* December 9th, updated version: previous version wrongly stated the service name as WinsScheMgmt

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...