Categories: News

The Coronavirus malware makes disks unusable

The Coronavirus malware makes disks unusable by overwriting the master boot record (MBR). This is the same trick that NotPetya wiper malware used back in 2017. The campaign back then caused a global financial damage.

SonicWall Capture Labs Threat Research team warn that the malware strain is also a destructive trojan. And, for the moment, there’s no cure. Researchers said that the victims of the trojan found themselves with a grey screen and a blinking cursor with a simple message, “Your computer has been trashed.”

Cybercriminals found a very fertile ground to capitalize on the global concern around the pandemic. So, some of the recent phishing attacks came with the promise of financial relief as a lure, due to the disease. But the operators of this malware go one step further. They took the Coronavirus as its name and infection theme.

The new malware can come to the users’ computers as a malicious attachment, file download or fake application. Regarding the execution, the malware

In the beginning, the malware is installing a number of helper files. These land in a temporary folder. Then, an installer – a file named “coronavirus.bat”, sets up the attack by creating a hidden folder named “COVID-19” on the victim’s machine. Then, the previously dropped helper files are moved there. This is an effort to go unnoticed, until its goal is achieved.

Coronavirus malware disables Task Manager and UAC

Afterwards, the installer disables Windows Task Manager and User Access Control (UAC). This is a way to make it even more difficult to understand for the users. At the same time, it changes the user’s wallpaper and blocks the possibility to add or modify it. Behind the scene, it adds entries in the registry and then reboots the system, in order to finish the installation.

According to SonicWall, the process run.exe creates a batch file named run.bat. Thus, it ensures that the registry modifications done by “coronavirus.bat” remain intact during the reboot process.

Afterwards, the infection executes two binaries. The first one, “mainWindow.exe,” displays a window with a picture of the coronavirus itself. The victim is notified at the top of the window that “coronavirus has infected your PC!” There are also two buttons that read “Remove virus” and “Help.” The former does nothing when clicked. But the latter brings up a pop-up that tells victims to “not wast [sic] your time” because “you can’t terminate this process!”

The second binary is the one responsible for overwriting the MBR. “The original MBR is first backed up in the first sector before it is overwritten with new one, [and the] MBR is overwritten with the new code,” according to the researchers.

Once the overwrite is complete, the victim’s display is changed to a simple grey screen delivering the bad news. So, the Coronavirus malware makes disks unusable for the users and this is a serious threat.

Laurentiu Titei

Laurentiu, a creative content writer, has been producing articles about technology for more than 10 years. He is interested in all the security and internet news and his mainstream media background helps make them readable for all kinds of users. Moreover, he grows the appropriate social media channels for websites.

View Comments

Recent Posts

Digital Advertising practices, under the pressure of fines

Its digital advertising practices continue to bring troubles for Google. Two separate cases will go to court in the UK…

2 years ago

Advertising discrimination, addressed by huge companies

WPP, Delta Airlines, Kellogg and Mindshare take the issue of advertising discrimination seriously, in order to combat bias in digital…

2 years ago

Ad fraud might hit $100B, advertising companies worry

Ad fraud has become a very big issue for both users and the advertising agencies. Different forms of it might…

3 years ago

The ad-based business model: Would Facebook change it?

The Facebook lead architect of the ad-based business model leaves the company. Let's see how her move could affect company's…

3 years ago

Here it comes: New Meta privacy policy. Does it matter?

A new Meta privacy policy comes soon for the company's platforms. Users would be notified of the updates about how…

3 years ago

Advertising company: ”Our customers don’t like ads”

As its “customers don't like ads,” Evite, an American online party planner, decided to just close its advertising business, while…

3 years ago