virus logo Virus

W32/DistTrack.A!tr

description-logoAnalysis


  • Upon execution, it drops the following files:
    • [CurrentFolder]\f1.inf : This is a non-malicious text file containing a list of files whose contents have been overwritten with a JPEG file.
    • [CurrentFolder]\f2.inf : This is a non-malicious text file containing a list of some files that are in the infected system.
    • undefinedWindowsundefined\inf\netfb318.pnf : This is a non-malicious file that contains just one byte.
    • undefinedSystemundefined\drivers\drdisk.sys : This is a non-malicious disk driver.
    • undefinedSystemundefined\smbinit.exe : This is a malicious file detected as W32/EraseMBR.A!tr.
    • undefinedSystemundefined\trksvr.exe : This is a copy of the original file.

  • It creates a service named TrkSvr  with the ALL_ACCESS parameter using trksvr.exe, the dropped copy of itself in the System folder. The display name for the newly created service is "Distributed Link Tracking Server".

  • For the TrkSvr  service, it creates the registry entry HKLM\SYSTEM\CurrentControlSet\Services\TrkSvr. Some registry values are shown below:

    • Figure 1: Registry values of the TrkSvr  service.

  • The malware applies the following additional service-related registry modifications:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drdisk
      • ImagePath = "Systemundefined\Drivers\drdisk.sys"

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkSvr\Security

  • It overwrites various files in the infected host with a JPEG file.

  • It also deletes files in the System folder that have the following filenames:

    • Figure 2: Files in the System folder that are deleted.

  • This malware also issues the following command line:
    • "undefinedSystemundefined\cmd.exe /c sc start drdisk2>&1 >nul"


recommended-action-logoRecommended Action

FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2022-07-05 90.03884
2022-04-27 90.01777
2021-06-15 86.00934
2021-03-31 85.00102
2019-04-16 67.84200 Sig Updated
2019-03-12 67.00000 Sig Added
2018-11-13 64.14900 Sig Updated
2018-10-25 63.18300 Sig Added
ID 4095137
Released Aug 17, 2012
Description
Updated		 Sep 11, 2012
Aliases Trojan.Win32.EraseMBR.a (KAV), W32/DistTrack virus (McAfee), Troj/Mdrop-ELD (Sophos), Win32/DistTrack.A (NOD32), Shamoon
Platform Profile Win32 file format / PE 32 bit