Wiper.A: An Analysis of the Destructive and Dangerous Malware Targeted at Sony Pictures Entertainment

by Security Research & AnalysisThreat Analysis

Our analysis determined that Wiper.A is a Trojan/Backdoor malware that may also appear under the aliases “Destover” and “NukeSped”. In addition to wiping and deleting everything on the Windows system, it can also download and install other malicious files. The threat can arrive on computers as an attachment to spammed emails, be downloaded from compromised websites, or be installed as part of a drive-by-download, where another malicious threat then downloads and installs the Wiper.A file. The installation and automatic startup technique involves dropping a copy and registering itself as a Windows service, so the malware can then automatically execute during a Windows start-up.

Once executed, this threat drops a copy of itself as “igfxtrayex.exe” in the same folder where it is executed. It then installs itself as a Windows “Service” to automatically execute upon Windows startup.

         Service name : brmgmtsvc

         Display name : Backup and Restore Management Service

         Startup Type : Automatic

 

         Service name : WinsSchMgmt

         Display name : Windows Schedule Management Service

         Startup Type : Automatic

 

Once installed and running, it tries to connect specific hosts by enumerating the IP range 43.130.141.xx. It also creates the file %windir%\system32\net_ver.dat

In addition this threat downloads the following files:

<current folder>\taskhost<xx>.exe 

where xx is a random 2 letter combination.

%windir%\iissvr.exe

This Backdoor Trojan actually listens on port 2332 and waits for the hacker or the threat author to connect and gain access to the infected system. The threat then enumerates all folders in the system root folder (usually drive C:\) and deletes all the files in them.

CYREN will provide more detailed information as we continue our analysis.

* December 9th, updated version: previous version wrongly stated the service name as WinsScheMgmt

Go back