{
	"id": "fc782fc0-1052-4228-b682-2a81fdc171bb",
	"created_at": "2026-04-06T00:16:26.937798Z",
	"updated_at": "2026-04-10T03:21:28.895047Z",
	"deleted_at": null,
	"sha1_hash": "a88e6688f4ca682f65e9e9afdca8027e923d013d",
	"title": "FortiGuard Labs Discovers New Covid-22 Malware Targeting MBR | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68682,
	"plain_text": "FortiGuard Labs Discovers New Covid-22 Malware Targeting\r\nMBR | FortiGuard Labs\r\nBy Shunichi Imano and Fred Gutierrez\r\nPublished: 2021-11-11 · Archived: 2026-04-05 22:37:02 UTC\r\nEven now, almost two years after the COVID-19 pandemic started, there is no sign that cybercriminals will stop\r\ntaking advantage of the situation as an attack vector. This time, however, this attacker uses a COVID pandemic\r\nthat has not yet happened as bait. FortiGuard Labs recently discovered a new malware posing as a mysterious\r\nCovid-22 installer. While containing many of the features of \"joke\" malware, it is also destructive, causing\r\ninfected machines to fail to boot. Because it has no features for encrypting data demanding a ransom to undo the\r\ndamage it inflicts, it is instead a new destructive malware variant designed to render affected systems inoperable.\r\nThis blog explains how this malware works.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows Users\r\nImpact: Unable to boot the machine\r\nSeverity level: Medium\r\nWhat is Covid-22 Malware?\r\nThe malware file is named Covid22. For those unfamiliar with the naming scheme, COVID-19 is a short form\r\nof Coronavirusdisease, and 19 represents the year the outbreak was first identified. The file name Covid-22 plays\r\noff the current Coronavirus disease but applies that same image of fear and destruction to computers, potentially\r\ncreating a cyber-pandemic in 2022. While we don't know how exactly the malware was distributed, the malware\r\nauthor has tried to weaponize fear as bait to lure victims into opening the file.\r\nCovid-22 Malware in Action\r\nWhile the malware itself is not sophisticated, it does take several actions designed to put fear into the victim\r\nbefore inducing true panic. But before that, when first manually running the file, it asks whether the potential\r\nvictim wants to install Covid-22 on their machine as if it were an application. \r\nOnce the victim proceeds with the installation, the malware drops several malicious files before forcefully\r\nrebooting the machine. Dropped files have file names that are simple and self-described for their actions. They are\r\nlisted below in sequence of execution.\r\nCovid22Server.exe executes the commands in the dropped script.txt\r\nlol.vbs creates an endless loop of a MessageBox with \"Your PC has been infected by Covid-22 Corona\r\nVirus! Enjoy the death of your pc!\"\r\nCovid-22 Effects on MBR\r\nhttps://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\r\nPage 1 of 4\n\nThese are the classic actions of joke programs usually intended to annoy or make fun of users. But the next\r\nactivity is not laughable at all. The malware drops and executes the malicious WipeMBR.exe wiper malware that\r\ndestroys the Master Boot Record (MBR) by overwriting its first 512 bytes with zeros. The malware then forces a\r\nmachine to reboot after displaying the following pop-up message:\r\nBecause MBR has information about the partitions of the hard drive and acts as a loader for the operating system\r\n(OS), the compromised machine will not be able to load the OS upon reboot. The good news for the users is that\r\nthe malware does not destroy nor steal any files on the compromised device, meaning the victim can still recover\r\nuser files from the hard drive. The malware also does not demand ransom.\r\nWhile the result is almost identical to another MBR wiper that Sonicwall posted a blog about in April 2020, our\r\nanalysis did not show any resemblance in their wiper codes. This newer variant simply overwrites the MBR with\r\nzeroes.\r\nHow to Repair a Damaged MBR\r\nFixing an MBR is relatively easy in modern Windows. After the affected machine reboots (sometimes it requires a\r\nfew reboots), the system enters automatic repair mode. First, choose Advanced Options, Troubleshoot. Another\r\nAdvanced Option should then let you use the Command Prompt. From the Command Prompt, type and run\r\n\"bootrec.exe /fixmbr\".\r\nAn alternative and more straightforward option would be to choose Startup Repair on the screen to run the\r\nCommand Prompt. The downside of selecting Startup Repair is that it will take longer to complete the job.\r\nIf the automatic repair mode does not kick in for some reason, you'll need to boot the system off a recovery disk or\r\ndrive. Note that you'll need to change your BIOS settings to ensure the system boots from the recovery media first,\r\nor else the system will try to boot using the overwritten MBR leading to a boot error. Once the system boots from\r\nrecovery media, you should be able to choose to run the command prompt, whereby the user can run the command\r\n\"bootrec.exe /fixmbr\".\r\nIt is also vital to remind system administrators of the importance of backing up your data on external storage in\r\ncase any of your files are ever damaged, encrypted, or destroyed. You will also want to create recovery media\r\nbeforehand, or else you will need to use a working machine, which can be difficult for home users after the\r\ndamage is done.\r\nConclusion on Covid-22 Brings Disaster to MBR\r\nWhat looks to be a mere joke program is designed to bring destruction to impacted systems. This time, luck was\r\non the victim's side as the malware did not touch any user data, but the user may not be so lucky next time.\r\nImagine if the files on the compromised machine had been encrypted or destroyed and could not be recovered.\r\nAlways be mindful of executing unknown files received from the internet.\r\nFortinet Protections\r\nhttps://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\r\nPage 2 of 4\n\nFortinet customers are already protected from this malware by the FortiGuard Labs AntiVirus Service as used by\r\nFortiGate, FortiClient and FortiMail, and by FortiEDR as follows:\r\nW32/Ursu.558C!tr\r\nMalicious_Behavior.SB\r\nVBS/BadJoke.8A6B!tr\r\nVBS/BadJoke.7182!tr\r\nVBS/BadJoke.84AB!tr\r\nVBS/BadJoke.0C12!tr\r\nVBS/BadJoke.DF52!tr\r\nW32/BadJoke.DCAB!tr            \r\nFortiEDR detects the downloaded executable file as malicious based on its behavior.\r\nIOCs\r\nSample SHA-256:\r\n[Covid22.exe]\r\n79f3b39797f0e85d9e537397a6f8966bc288d1b83ae1c313c825fbd17698879e\r\n[ClutterScreen.exe]\r\n726DC8D52C9CF794412941BFBD27AF8F6FA27E72154A63F5C81A42BA40BD972D\r\n[CoronaPopup.exe]\r\n80C9F65617386940153CC4D42E1097DEB79B4F9C98C67E6025BDC1CA03AD8FB7\r\n[icons.exe]\r\n496CABBD18530780A3CB75340BDDD7F74A71E84C83DF4D185CFC6EC71D14C41E\r\n[WipeMBR.exe]\r\n5FC9080177A096DE2B717F2F2196867B6966900E129E5BC4E412D5DCA7ED9E60\r\n[final.vbs]\r\nEA2EF4196586BF851D4DC422A04D51AD2CB552BF5AAE2DF361D1ED2D4842B4BA\r\n[lol.vbs]\r\nC88D3022B25EF86CD19CE99815AD26A1F9A201F69974577DA93E08328E047410\r\n[noescapez.vbs]\r\n3D519FC10BC2B6CAA5A27069DA55B1614CC97C1DFD4BCDC1DD7F36E686D913F1\r\n[x.vbs]\r\nE22F004CF9E7C4C7B52BDA59DB2B57816992CB01FDBEF6675760FDD7BCD29728\r\n[speakwh.vbs]\r\n4624876389F6DDFB111FBBF3473D7C6B5555ED8A0F31C37E822A6FFEF5E27DE0\r\n[Covid22Server.exe]\r\n0C6DFAA12A98FB17058B79D283E96A3E34549D0AD2BE58F505AC8ABDE858D8A6\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nhttps://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\r\nPage 3 of 4\n\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\r\nhttps://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr"
	],
	"report_names": [
		"to-joke-or-not-to-joke-covid-22-brings-disaster-to-mbr"
	],
	"threat_actors": [],
	"ts_created_at": 1775434586,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a88e6688f4ca682f65e9e9afdca8027e923d013d.pdf",
		"text": "https://archive.orkl.eu/a88e6688f4ca682f65e9e9afdca8027e923d013d.txt",
		"img": "https://archive.orkl.eu/a88e6688f4ca682f65e9e9afdca8027e923d013d.jpg"
	}
}