Win32/DistTrack [Threat Name] go to Threat

Win32/DistTrack.A [Threat Variant Name]

Category trojan
Size 989184 B
Detection created Aug 17, 2012
Detection database version 7393
Aliases W32.Disttrack (Symantec)
  W32/DistTrack.virus (McAfee)
  Trojan:Win32/WipMBR.A (Microsoft)
Short description

Win32/DistTrack.A is a trojan that overwrites the content of certain files with its own data. The trojan overwrites the MBR, Partition Table of all drives with its own data. The trojan may cause the operating system to crash. The trojan contains both 32-bit and 64-bit program components.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­system32\­trksvr.exe (x86)

The trojan creates the following files:

  • %windir%\­system32\­netinit.exe (133120 B, Win32/DistTrack.A) (x86)
  • %windir%\­system32\­trksvr.exe (532992 B, Win64/DistTrack.A) (x64)
  • %windir%\­system32\­netinit.exe (155136 B, Win64/DistTrack.A) (x64)

The files are then executed.


The trojan registers itself as a system service using the following name:

  • TrkSvr

If the current system date and time matches certain conditions, the trojan creates the following files:

  • %windir%\­system32\­%variable% (194048 B, Win32/DistTrack.A) (x86)
  • %windir%\­System32\­Drivers\­drdisk.sys (27280 B) (x86)
  • %windir%\­system32\­%variable% (227840 B, Win64/DistTrack.A) (x64)
  • %windir%\­System32\­Drivers\­drdisk.sys (31632 B) (x64)

The %variable% is one of the following strings:

  • caclsrv.exe
  • certutl.exe
  • clean.exe
  • ctrl.exe
  • dfrag.exe
  • dnslookup.exe
  • dvdquery.exe
  • event.exe
  • findfile.exe
  • gpget.exe
  • ipsecure.exe
  • iissrv.exe
  • msinit.exe
  • ntfrsutil.exe
  • ntdsutl.exe
  • power.exe
  • rdsadmin.exe
  • regsys.exe
  • sigver.exe
  • routeman.exe
  • rrasrv.exe
  • sacses.exe
  • sfmsc.exe
  • smbinit.exe
  • wcscript.exe
  • ntnw.exe
  • netx.exe
  • fsutl.exe
  • extract.exe

The files are then executed.


Installs the following system drivers:

  • %windir%\­System32\­Drivers\­drdisk.sys
Spreading via shared folders

The trojan tries to copy itself into shared folders of machines on a local network.


The following names of the shared network folders are used:

  • \­\­%remotecomputer%\­ADMIN$\­system32\­
  • \­\­%remotecomputer%\­C$\­WINDOWS\­system32\­
  • \­\­%remotecomputer%\­D$\­WINDOWS\­system32\­
  • \­\­%remotecomputer%\­E$\­WINDOWS\­system32\­

If it succeeds, a copy of the trojan is retrieved from the attacking machine.


Its filename is one of the following:

  • caclsrv.exe
  • certutl.exe
  • clean.exe
  • ctrl.exe
  • dfrag.exe
  • dnslookup.exe
  • dvdquery.exe
  • event.exe
  • findfile.exe
  • gpget.exe
  • ipsecure.exe
  • iissrv.exe
  • msinit.exe
  • ntfrsutil.exe
  • ntdsutl.exe
  • power.exe
  • rdsadmin.exe
  • regsys.exe
  • sigver.exe
  • routeman.exe
  • rrasrv.exe
  • sacses.exe
  • sfmsc.exe
  • smbinit.exe
  • wcscript.exe
  • ntnw.exe
  • netx.exe
  • fsutl.exe
  • extract.exe

The trojan schedules a task that causes the following file to be executed repeatedly:

  • \­\­%remotecomputer%\­%malwarefilepath%
Information stealing

The trojan collects the following information:

  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Payload information

The trojan executes the following commands:

  • cmd.exe "del /f /a %windir%\­Temp\­filer*.exe"
  • cmd.exe "sc stop drdisk 2>&1 >nul"
  • cmd.exe "sc delete drdisk 2>&1 >nul"
  • cmd.exe "sc create drdisk type= kernel start= demand binpath= System32\­Drivers\­drdisk.sys 2>&1 >nul"
  • cmd.exe "sc start drdisk 2>&1 >nul"
  • cmd.exe "dir "C:\­Documents and Settings\­" /s /b /a:-D 2>nul | findstr -i download 2>nul >f1.inf"
  • cmd.exe "dir "C:\­Documents and Settings\­" /s /b /a:-D 2>nul | findstr -i document 2>nul >>f1.inf"
  • cmd.exe "dir C:\­Users\­/s /b /a:-D 2>nul  | findstr -i download 2>nul >>f1.inf"
  • cmd.exe "dir C:\­Users\­/s /b /a:-D 2>nul  | findstr -i document 2>nul >>f1.inf"
  • cmd.exe "dir C:\­Users\­/s /b /a:-D 2>nul  | findstr -i picture 2>nul >>f1.inf"
  • cmd.exe "dir C:\­Users\­/s /b /a:-D 2>nul  | findstr -i video 2>nul >>f1.inf"
  • cmd.exe "dir C:\­Users\­/s /b /a:-D 2>nul  | findstr -i music 2>nul >>f1.inf"
  • cmd.exe "dir "C:\­Documents and Settings\­" /s /b /a:-D 2>nul  | findstr -i desktop 2>nul >f2.inf"
  • cmd.exe "dir C:\­Users\­/s /b /a:-D 2>nul  | findstr -i desktop 2>nul >>f2.inf"
  • cmd.exe "dir C:\­Windows\­System32\­Drivers /s /b /a:-D 2>nul >>f2.inf"
  • cmd.exe "dir C:\­Windows\­System32\­Config /s /b /a:-D 2>nul | findstr -v -i systemprofile 2>nul >>f2.inf"
  • cmd.exe "dir f1.inf /s /b 2>nul >>f1.inf"
  • cmd.exe "dir f2.inf /s /b 2>nul >>f1.inf"
  • cmd.exe "shutdown -r -f -t 2"

Win32/DistTrack.A is a trojan that overwrites the content of certain files with its own data.


The trojan overwrites the MBR, Partition Table of all drives with its own data.


The trojan may cause the operating system to crash.

Other information

The trojan may attempt to download files from the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


These are stored in the following locations:

  • %windir%\­Temp\­filer%variable%.exe
  • %windir%\­inf\­netft429.pnf

A string with variable content is used instead of %variable% .


The trojan executes the following files:

  • %windir%\­Temp\­filer%variable%.exe

The trojan may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.