Our analysis determined that Wiper.A is a Trojan/Backdoor malware that may also appear under the aliases “Destover” and “NukeSped”. In addition to wiping and deleting everything on the Windows system, it can also download and install other malicious files. The threat can arrive on computers as an attachment to spammed emails, be downloaded from compromised websites, or be installed as part of a drive-by-download, where another malicious threat then downloads and installs the Wiper.A file. The installation and automatic startup technique involves dropping a copy and registering itself as a Windows service, so the malware can then automatically execute during a Windows start-up.
Once executed, this threat drops a copy of itself as “igfxtrayex.exe” in the same folder where it is executed. It then installs itself as a Windows “Service” to automatically execute upon Windows startup.
Service name : brmgmtsvc
Display name : Backup and Restore Management Service
Startup Type : Automatic
Service name : WinsSchMgmt
Display name : Windows Schedule Management Service
Startup Type : Automatic
Once installed and running, it tries to connect specific hosts by enumerating the IP range 43.130.141.xx. It also creates the file %windir%system32net_ver.dat
In addition this threat downloads the following files:
<current folder>taskhost<xx>.exe
where xx is a random 2 letter combination.
%windir%iissvr.exe
This Backdoor Trojan actually listens on port 2332 and waits for the hacker or the threat author to connect and gain access to the infected system. The threat then enumerates all folders in the system root folder (usually drive C:) and deletes all the files in them.
CYREN will provide more detailed information as we continue our analysis.
* December 9th, updated version: previous version wrongly stated the service name as WinsScheMgmt