A new wiper malware has been detected that uses a similar method to the 2017 NotPetya wiper malware to trash computers by overwriting the Master Boot Record (MBR) to render computers useless. Named Coronavirus, this wiper malware is being used purely for the purpose of sabotage.
The malware variant was analyzed by researchers at SonicWall Capture Labs Threat Research. The researchers report that the malware variant is not as destructive as NotPetya, and even if the MBR is overwritten it may be possible to recover the MBR and restore data, although that is a complicated process beyond the capabilities of most computer users. They also explain that if it is not possible to restore the MBR, data can be accessed or recovered by mounting the drive.
When executed, the malware drops several files into a hidden COVID-19 folder, disables Windows Task Manager and User Access Control (UAC), and after changing the wallpaper, removes the option to change/modify the wallpaper. The malware also makes entries in the registry for persistence and the computer is rebooted. A run.exe process creates a run.bat batch file which ensures that the registry changes are still in place during the reboot.
Two of the helper files are then executed, one of which – mainWindow.exe – displays a picture of the Novel Coronavirus that states at the top of the image that the user’s device has been infected. There are two buttons at the bottom of the image – “Remove Virus” and “Help” – The Remove Virus button cannot be clicked. The Help option launches a popup saying, “Hello! If you see this message is because your computer has been infected with coronavirus. Please Don’t wast your time. Task Manager are disabled and you can’t terminate this process.”
The other binary overwrites the MBR with a new MBR. The following message will then be displayed:
Created By Angel Castillo. Your Computer Has Been Trashed.
Discord: Windows Vista#3294
It is unclear how the malware is being distributed for this campaign. It is possible that it is being delivered in spam email, by drive-by download, or through fake software updates.