Some malware authors have developed malware that destroys infected systems, either by wiping files or rewriting a computer’s master boot record (MBR). With help from the infosec community, ZDNet has identified at least five malware strains, some distributed in the wild, while others appear to have been created only as tests or jokes.
Rather than using the coronavirus as a means for more power (politicians) or financial gain, this malware appears to be simply destructive.
Of the four malware samples found by security researchers this past month, the most advanced were the two samples that rewrote MBR sectors.
Some advanced technical knowledge was needed to create these strains as tinkering with a master boot record is no easy feat and could easily result in systems that didn’t boot at all.
The first of the MBR-rewriters was discovered by a security researcher that goes by the name of MalwareHunterTeam, and detailed in a report from SonicWall this week. Using the name of COVID-19.exe, this malware infects a computer and has two infection stages. –ZDNet
— MalwareHunterTeam (@malwrhunterteam) March 23, 2020
Here’s what you will want to watch for:
In the first phase, it just shows an annoying window that users can’t close because the malware has also disabled the Windows Task Manager.
While users attempt to deal with this window, the malware is silently rewriting the computer’s master boot record behind their back. It then restarts the PC, and the new MBR kicks in, blocking users into a pre-boot screen.
Users can eventually regain access to their computers, but they’ll need special apps that can be used to recover and rebuild the MBR to a working state.
There is another coronavirus-themed malware strain that re-wrote the MBR and it is a far more convoluted malware operation.
The malware’s primary function was to steal passwords from an infected host and then mimic ransomware to trick the user and mask its real purpose.
However, it wasn’t ransomware either. It only posed as one. Once the data-stealing operations ended, the malware entered into a phase where it rewrote the MBR, and blocked users into a pre-boot message, preventing access to their PCs. With users seeing ransom notes and then not being able to access their PCs, the last thing users would thing to do is to check if someone exfiltrated passwords from their apps.
According to analysis from SentinelOne security researcher Vitali Kremez and Bleeping Computer, the malware also contained code to wipe files on the user’s systems, but this didn’t appear to be active in the version they analyzed.
At first this seems like a simple screenlocker, but it infects the MBR as well.
Same MBR as the Coronavirus ransomware found by @malwrhunterteam
— Karsten Hahn (@struppigel) March 26, 2020
Norton anti-virus has offered tops to help keep your PC safe from these and other destructive problems. If you can, do a scan of your computer to make sure your anti-virus software is catching all the problems.