In a word, destructive, the tale of W32/Scar-H

Filed Under: Malware, SophosLabs

Very rarely nowadays do we find a piece of malware whose sole intent and purpose is to destroy the victim computer. W32/Scar-H is an example of one of those über twisted malware which in the literal sense detonates a bomb on the victim.

At first glance W32/Scar-H is like any ordinary Autorun worm making its way from victim to victim. When first run it creates the following files:

<System>\ntldr.exe (copy of self)
<Root>\WinNT.exe (copy of self)
<Root>\AutoRun.inf

It spreads to any device that is mapped to a drive letter by creating the following files with the hidden attribute set on the created files:

<Root>\WinNT.exe (copy of self)
<Root>\AutoRun.inf (to execute WinNT.exe when the drive is accessed)

Here is where the rampage begins. W32/Scar-H will systematically replace all files in the C: drive ending with the extension .exe with a copy of itself starting with the files in the <System> directory. The filenames of the replaced files will remain unchanged. These unchanged filenames add to the explosive mixture.

With all these file replacements going on in the C: drive, an application crash is a guaranteed event. The default debugger on Windows is <System>\Drwtsn32.exe which captures a crash log and process dump file to be submitted as an error report to Microsoft optionally. W32/Scar-H has already conveniently replaced Drwtsn32.exe with a copy of itself. So every time Windows calls Drwtsn32.exe to handle an exception, another W32/Scar-H processes gets created by Windows. This calling of Drwtsn32.exe carries on recursively and indefinitely till the victim computer becomes completely non-responsive. A reboot of the computer displays

Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\ntoskrnl.exe
Please re-install a copy of the above file.

That message basically tells us that W32/Scar-H has successfully replaced the file ntoskrnl.exe residing in <System> with a copy of itself. Ntoskrnl.exe is the kernel image for the Windows NT family. I'm pretty sure fixing ntoskrnl.exe would be a small part of the overall cleanup required to remove this worm and get the system up and running once more.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s