The Coronavirus malware makes disks unusable by overwriting the master boot record (MBR). This is the same trick that NotPetya wiper malware used back in 2017. The campaign back then caused a global financial damage.
SonicWall Capture Labs Threat Research team warn that the malware strain is also a destructive trojan. And, for the moment, there’s no cure. Researchers said that the victims of the trojan found themselves with a grey screen and a blinking cursor with a simple message, “Your computer has been trashed.”
Cybercriminals found a very fertile ground to capitalize on the global concern around the pandemic. So, some of the recent phishing attacks came with the promise of financial relief as a lure, due to the disease. But the operators of this malware go one step further. They took the Coronavirus as its name and infection theme.
The new malware can come to the users’ computers as a malicious attachment, file download or fake application. Regarding the execution, the malware
In the beginning, the malware is installing a number of helper files. These land in a temporary folder. Then, an installer – a file named “coronavirus.bat”, sets up the attack by creating a hidden folder named “COVID-19” on the victim’s machine. Then, the previously dropped helper files are moved there. This is an effort to go unnoticed, until its goal is achieved.
Coronavirus malware disables Task Manager and UAC
Afterwards, the installer disables Windows Task Manager and User Access Control (UAC). This is a way to make it even more difficult to understand for the users. At the same time, it changes the user’s wallpaper and blocks the possibility to add or modify it. Behind the scene, it adds entries in the registry and then reboots the system, in order to finish the installation.
According to SonicWall, the process run.exe creates a batch file named run.bat. Thus, it ensures that the registry modifications done by “coronavirus.bat” remain intact during the reboot process.
Afterwards, the infection executes two binaries. The first one, “mainWindow.exe,” displays a window with a picture of the coronavirus itself. The victim is notified at the top of the window that “coronavirus has infected your PC!” There are also two buttons that read “Remove virus” and “Help.” The former does nothing when clicked. But the latter brings up a pop-up that tells victims to “not wast [sic] your time” because “you can’t terminate this process!”
The second binary is the one responsible for overwriting the MBR. “The original MBR is first backed up in the first sector before it is overwritten with new one, [and the] MBR is overwritten with the new code,” according to the researchers.
Once the overwrite is complete, the victim’s display is changed to a simple grey screen delivering the bad news. So, the Coronavirus malware makes disks unusable for the users and this is a serious threat.