{"id":17984,"date":"2022-02-02T10:17:40","date_gmt":"2022-02-02T18:17:40","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11717\/"},"modified":"2022-02-02T10:17:40","modified_gmt":"2022-02-02T18:17:40","slug":"news-11717","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11717\/","title":{"rendered":"To Joke or Not to Joke: COVID-22 Brings Disaster to MBR"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs.html?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=FortiGuardLabs\">FortiGuard Labs<\/a>\u00a0Threat\u00a0Research Report<\/b><\/p>\n<p><b>Affected platforms<\/b>: Microsoft Windows<br \/> <b>Impacted parties<\/b>: Windows Users<br \/> <b>Impact<\/b>: Unable to boot the machine<br \/> <b>Severity level<\/b><span>: Medium<\/span><\/p>\n<p>Even now, almost two years after the COVID-19 pandemic started, there is no sign that cybercriminals will stop taking advantage of the situation as an attack vector. This time, however, this attacker uses a COVID pandemic that has not yet happened as bait. FortiGuard Labs recently discovered a new malware posing as a mysterious COVID22 installer. While containing many of the features of &quot;joke&quot; malware, it is also destructive, causing infected machines to fail to boot. Because it has no features for encrypting data demanding a ransom to undo the damage it inflicts, it is instead a new destructive malware variant designed to render affected systems inoperable. This blog explains how this malware works.<\/p>\n<h2>Covid-22 in Action<br \/> <\/h2>\n<p>The malware file is named Covid22. For those unfamiliar with the naming scheme, COVID-19 is a short form of\u00a0<b>Co<\/b>rona<b>v<\/b>irus<b>d<\/b>isease, and\u00a0<b>19<\/b>\u00a0represents the year the outbreak was first identified. The file name Covid22 plays off the current Coronavirus disease but applies that same image of fear and destruction to computers, potentially creating a cyber-pandemic in 2022. While we don&#8217;t know how exactly the malware was distributed, the malware author has tried to weaponize fear as bait to lure victims into opening the file.<\/p>\n<p>While the\u00a0<a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/malware?utm_source=blog&amp;utm_campaign=malware\">malware<\/a>\u00a0itself is not sophisticated, it does take several actions designed to put fear into the victim before inducing true panic. But before that, when first manually running the file, it asks whether the potential victim wants to install Covid-22 on their machine, as if it were an application.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image.img.png\/1636601410877\/picture1.png\" alt=\"Figure 1. Installer screen that asks the victim for permission to install\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. Installer screen that asks the victim for permission to install<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once the victim proceeds with the installation, the malware drops several malicious files before forcefully rebooting the machine. Dropped files have file names that are simple and self-described for their actions. They are listed below in sequence of execution.<\/p>\n<ul>\n<li>Covid22Server.exe executes the commands in the dropped script.txt<\/li>\n<li>lol.vbs creates an endless loop of a MessageBox with &quot;Your PC has been infected by Covid-22 Corona Virus! Enjoy the death of your pc!&quot;<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_589203924.img.png\/1636601449903\/picture2.png\" alt=\"Figure 2. Image of the pop-up message \u201cYour PC has been infected by Covid-22 Corona Virus! Enjoy the death of your pc!\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. Image of the pop-up message \u201cYour PC has been infected by Covid-22 Corona Virus! Enjoy the death of your pc!\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>speakwh.vbs uses the computer&#8217;s speaker to say &quot;coronavirus&quot; in a loop<\/li>\n<li>CoronaPopup.exe displays a pop-up with the title &quot;Covid-22 has infected your pc!&quot; and an image of the actual coronavirus<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_600726940.img.png\/1636601488767\/picture3.png\" alt=\"Figure 3. Image of the virus\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Image of the virus<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>ClutterScreen.exe clutters the screen by constantly moving blocks of pixels<\/li>\n<li>x.vbs displays the pop-up message, &quot;Corona Virus!&quot; 50 times<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_1111667745.img.png\/1636601582643\/picture4.png\" alt=\"Figure 4. Image of the pop-up message \u201cCorona Virus!\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. Image of the pop-up message \u201cCorona Virus!\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>noescapes.vbs displays the pop-up message &quot;THERE IS NO ESCAPE&quot; 10 times<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_1803738543.img.png\/1636601725901\/picture5.png\" alt=\"Figure 5. Image of the pop-up message \u201cTHERE IS NO ESCAPE\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Image of the pop-up message \u201cTHERE IS NO ESCAPE\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>icons.exe fills the screen with red Xs<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_1182593830.img.png\/1636601766421\/picture6.png\" alt=\"Figure 6. Image of the user\u2019s screen filled with red Xs\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. Image of the user\u2019s screen filled with red Xs<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<ul>\n<li>final.vbs displays a pop-up message &quot;Bye!&quot;<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_352362042.img.png\/1636601806704\/picture7.png\" alt=\"Figure 7. Image of the pop-up message \u201cBYE!!!\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Image of the pop-up message \u201cBYE!!!\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>These are the classic actions of joke programs usually intended to annoy or make fun of users. But the next activity is not laughable at all. The malware drops and executes the malicious WipeMBR.exe wiper malware that destroys the Master Boot Record (MBR) by\u00a0overwriting its first 512 bytes with zeros.\u00a0The malware then forces a machine reboot after displaying the following pop-up message:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_1631368786.img.png\/1636601861376\/picture8.png\" alt=\"Figure 8. Final pop-up message before forcefully rebooting the compromised machine\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Final pop-up message before forcefully rebooting the compromised machine<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Because MBR has information about the partitions of the hard drive and acts as a loader for the operating system (OS), the compromised machine will not be able to load the OS upon reboot. The good news for the users is that the malware does not destroy nor steal any files on the compromised device, meaning the victim can still recover user files from the hard drive. The malware also does not demand ransom.<\/p>\n<p>While the result is almost identical to another MBR wiper that Sonicwall posted a\u00a0<a href=\"https:\/\/securitynews.sonicwall.com\/xmlpost\/coronavirus-trojan-overwriting-the-mbr\/\" target=\"_blank\">blog<\/a>\u00a0about in April 2020, our analysis did not show any resemblance in their wiper codes. This newer variant simply overwrites the MBR with zeroes.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image_56090942.img.png\/1636601988785\/screen-shot-2021-11-10-at-7.22.10-pm.png\" alt=\"Covid-22\"\/>         <\/noscript>                   <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>How to Repair a Damaged MBR<\/h2>\n<p>Fixing an MBR is relatively easy in modern Windows. After the affected machine reboots (sometimes it requires a few reboots), the system enters automatic repair mode. First, choose Advanced Options, Troubleshoot. Another Advanced Option should then let you use the Command Prompt. From the Command Prompt, type and run &quot;bootrec.exe \/fixmbr&quot;.<\/p>\n<p>An alternative and more straightforward option would be to choose Startup Repair on the screen to run the Command Prompt. The downside of selecting Startup Repair is that it will take longer to complete the job.<\/p>\n<p>If the automatic repair mode does not kick in for some reason, you&#8217;ll need to boot the system off a recovery disk or drive. Note that you&#8217;ll need to change your BIOS settings to ensure the system boots from the recovery media first, or else the system will try to boot using the overwritten MBR leading to a boot error. Once the system boots from recovery media, you should be able to choose to run the command prompt, whereby the user can run the command &quot;bootrec.exe \/fixmbr&quot;.<\/p>\n<p>It is also vital to remind system administrators of the importance of backing up your data on external storage in case any of your files are ever damaged, encrypted, or destroyed. You will also want to create recovery media beforehand, or else you will need to use a working machine, which can be difficult for home users after the damage is done.<\/p>\n<h2>Conclusion on\u00a0COVID-22 Brings Disaster to MBR<\/h2>\n<p>What looks to be a mere joke program is designed to bring destruction to impacted systems. This time, luck was on the victim&#8217;s side as the malware did not touch any user data, but the user may not be so lucky next time. Imagine if the files on the compromised machine had been encrypted or destroyed and could not be recovered. Always be mindful of executing unknown files received from the internet.<\/p>\n<h2>Fortinet Protections<br \/> <\/h2>\n<p>Fortinet customers are already protected from this malware by the FortiGuard Labs AntiVirus Service\u00a0as used by <a href=\"https:\/\/www.fortinet.com\/products\/next-generation-firewall.html?utm_source=blog&amp;utm_campaign=fortigate\">FortiGate<\/a>, <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=endpoint-web-page\">FortiClient<\/a> and <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>, and by <a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a> as follows: <\/p>\n<p>W32\/Ursu.558C!tr<br \/> Malicious_Behavior.SB<br \/> VBS\/BadJoke.8A6B!tr<br \/> VBS\/BadJoke.7182!tr<br \/> VBS\/BadJoke.84AB!tr<br \/> VBS\/BadJoke.0C12!tr<br \/> VBS\/BadJoke.DF52!tr<br \/> W32\/BadJoke.DCAB!tr<span>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/span><\/p>\n<p>FortiEDR detects the downloaded executable file as malicious based on its behavior.<\/p>\n<h2>IOCs<\/h2>\n<p><b><i>Sample SHA-256:<br \/>  <\/i><\/b>[Covid22.exe]<br \/> 79f3b39797f0e85d9e537397a6f8966bc288d1b83ae1c313c825fbd17698879e<br \/> [ClutterScreen.exe]<br \/> 726DC8D52C9CF794412941BFBD27AF8F6FA27E72154A63F5C81A42BA40BD972D<br \/> [CoronaPopup.exe]<br \/> 80C9F65617386940153CC4D42E1097DEB79B4F9C98C67E6025BDC1CA03AD8FB7<br \/> [icons.exe]<br \/> 496CABBD18530780A3CB75340BDDD7F74A71E84C83DF4D185CFC6EC71D14C41E<br \/> [WipeMBR.exe]<br \/> 5FC9080177A096DE2B717F2F2196867B6966900E129E5BC4E412D5DCA7ED9E60<br \/> [final.vbs]<br \/> EA2EF4196586BF851D4DC422A04D51AD2CB552BF5AAE2DF361D1ED2D4842B4BA<br \/> [lol.vbs]<br \/> C88D3022B25EF86CD19CE99815AD26A1F9A201F69974577DA93E08328E047410<br \/> [noescapez.vbs]<br \/> 3D519FC10BC2B6CAA5A27069DA55B1614CC97C1DFD4BCDC1DD7F36E686D913F1<br \/> [x.vbs]<br \/> E22F004CF9E7C4C7B52BDA59DB2B57816992CB01FDBEF6675760FDD7BCD29728<br \/> [speakwh.vbs]<br \/> 4624876389F6DDFB111FBBF3473D7C6B5555ED8A0F31C37E822A6FFEF5E27DE0<br \/> [Covid22Server.exe]<br \/> 0C6DFAA12A98FB17058B79D283E96A3E34549D0AD2BE58F505AC8ABDE858D8A6<\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\"><i>portfolio<\/i><\/a><i>.<\/i><\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/training\/cybersecurity-professionals?utm_source=blog&amp;utm_medium=campaign&amp;utm_campaign=Freetraininginitiative\"><i>free cybersecurity training<\/i><\/a><i>,\u00a0an initiative of Fortinet\u2019s Training Advancement Agenda (TAA), or about the\u00a0<\/i><a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\"><i>Fortinet\u00a0Network Security Expert program<\/i><\/a><a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=fnsa&amp;utm_source=pr&amp;utm_campaign=fnsa\"><i>,\u00a0Security Academy program<\/i><\/a><i>,\u00a0and\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/corporate\/careers\/vets.html?utm_source=blog&amp;utm_campaign=fortivet\"><i>Veterans program<\/i><\/a><i>. Learn more about\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=FortiGuardLabs\"><i>FortiGuard Labs<\/i><\/a><i>\u00a0global threat intelligence and research and the\u00a0<\/i><a href=\"https:\/\/www.fortinet.com\/support\/support-services\/fortiguard-security-subscriptions\/fortiguard-services-bundles.html?utm_source=blog&amp;utm_campaign=fortiguard-service-bundles\"><i>FortiGuard Security Subscriptions and Services<\/i><\/a><i>\u00a0portfolio.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qbkzwxxbiv83f0ol5a2d-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\/_jcr_content\/root\/responsivegrid\/image.img.png\/1636601410877\/picture1.png\"\/><br \/>FortiGuard Labs discovered a destructive malware that looks to be a joke program posing as a mysterious COVID-related installer. This new destructive malware variant is designed to simply render affected systems inoperable. Learn more about how it brings disaster to MBR.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17984","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17984"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17984\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17984"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}