From McAfee Security Advisory MTIS 12-132, recently issued :
Threat Identifier(s): W32/DistTrack
Threat Type: Malware
Risk Assessment: Low
Main Threat Vectors: WAN; LAN; Peer-to-Peer Networks
User Interaction Required: Yes
W32/DistTrack is a highly-destructive Trojan capable of overwriting data on targeted machines. Machines infected by it are rendered useless as most of the files, the MBR and the partition tables are overwritten with garbage data. The overwritten data is lost and is not recoverable. The initial infection vector is as of yet unknown, but the malware has the capability of spreading via Admin$ shares. When the initial executable is run it creates a copy of itself in the %SystemRoot%\System32 folder using the name tsksvr.exe. This dropped executable is the wiper module and is responsible for overwriting various files on the hard disk and also the MBR and Boot Sector. The wiper module also drops a file called drdisk.sys, which is a standard component from a commercial application that is used to allow programs low level access to hard disk drives. The Wiper module then uses this to overwrite the MBR and partition tables of the hard disk. The data used to overwrite these sectors is again the JPEG data as shown above. This renders the hard disk unusable and will not be recognized by the system after rebooting.
Importance: Low. This threat has gained media attention.
McAfee Product Coverage *
Coverage is provided as "W32/DistTrack" in the 6805 DATs, released August 15. A stand-alone Stinger tools is also available for download.
For more information see
Edit - Alternatively, try the following link (which I was unable to verify because the server was down)
The information in kc.mcafee.com is intended for Business users. The Extra.DAT and Stinger downloads though should be effective on Home User systems.Message was edited by: Hayton on 21/08/12 13:20:42 IST
I was wondering why McAfee made such a fuss over this one. Perhaps this is the answer : it's the same infection that the BBC website noted here -
"It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," wrote security firm Symantec.
McAfee's being a bit sniffy because Symantec got to it first
The Symantec article identifies this as "W32/DistTrack". For now, you probably shouldn't worry too much unless you're a big player in the Saudi oil business. Of course, in the malware-generation subculture any innovation will soon be copied by others, so the techniques used in this one will appear elsewhere eventually.
Actually, it was a McAfee customer who experienced the initial infection(s). Someone searching for information on the malware can see this in that McAfee issued detection/protection for W32/Disttrack with DAT 6805 a day before Symantec, in their own malware report, claims it was discovered.
Symantec and others received their information on DistTrack from the published McAfee Threat Advisory, just like everyone else.
And, notice that all of the news about shamoon broke days after McAfee posted a detailed analysis of the Disttrack threat. As happens often another vendor gave this malware a more newsworthy name and the media ran with it. Until it had a 'cool' name nobody cared.