{
	"id": "03da9fce-c12e-4d8c-90c2-d9ca8e6293c0",
	"created_at": "2026-04-06T00:18:46.40761Z",
	"updated_at": "2026-04-10T13:11:25.411308Z",
	"deleted_at": null,
	"sha1_hash": "b01af5405962ca1993d987246880216a2ddcd940",
	"title": "CoViper locking down computers during lockdown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2447217,
	"plain_text": "CoViper locking down computers during lockdown\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 14:26:37 UTC\r\nCoViper is a new wiper malware family taking advantage of the COVID-19 crisis. Based on what we discovered\r\nduring our analysis, we have reason to believe that it is attracting victims by masquerading as a file related to the\r\ncoronavirus. The wiper breaks an infected computer’s boot operation, by rewriting the Master Boot Record\r\n(MBR) located on the computer’s disk. The MBR contains valuable information about how the OS should be\r\nbooted on the PC. If the MBR is damaged, the PC will most likely remain non-functional, because it cannot be\r\nbooted as usual. A skilled user could reinstall their MBR to recover their PC and files, or use other bootable media\r\ndevices.\r\nThis particular malware family is sometimes also called the “MBR wiper”, or even “MBR locker”. MBR lockers\r\nare often used in combination with ransomware where the ransom note is displayed to the victim. In this case,\r\nhowever, the MBR is simply destroyed; no ransom is demanded. It’s possible that CoViper could be an early\r\nversion of malware which will later turn into ransomware, as we will describe further down in the post.\r\nAnalysis\r\nCoViper is distributed as an installer written in PureBasic, with all interesting files packed as resources. CoViper\r\nis composed of several binaries and scripts. These files are dropped into the computer’s temporary folder\r\n( %TEMP% , usually the absolute path is C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\ ), created using the\r\nGetTempFileNameA API function.\r\nWe will describe the purpose of these files later on. As a brief overview, here’s a short summary of the files\r\nCoViper drops into the temp folder:\r\ncoronavirus.bat – a stager that installs the malware and secures its persistence\r\nend.exe – a wiper written in Delphi. Its purpose is to rewrite the MBR, effectively preventing the PC\r\nfrom booting normally\r\nmainWindow.exe – launches a GUI with an image of the (corona)virus\r\nrun.exe – a binary ensuring persistence, starting mainWindow.exe process. This is performed by an\r\nintermediate script called run.bat\r\nUpdate.vbs – currently a non-functional (not yet fully implemented) script, presumably designed to\r\nupdate the malware to a newer version\r\ncursor.cur – a cursor file which is set as a new cursor’s appearance\r\nwallpaper.jpg – a black wallpaper, set as the default desktop background on the victims’ PC\r\nThe Installation – coronavirus.bat\r\nThis simple coronavirus.bat script is used to install the malware onto the victim’s computer. The script also copies\r\nall the dropped files from the temporary folder into a new, hidden folder, called COVID-19, in the user’s home\r\nhttps://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nPage 1 of 7\n\ndirectory. Furthermore, the script changes registry keys to ensure persistence on the system, and restarts the\r\nsystem with a five second delay once the script is finished running. As we can see from the code below, the restart\r\nwill effectively execute three files: Update.vbs , run.exe , and end.exe .\r\nNote that the script is a little verbose, informing the user that the “coronavirus Installer” is working and after the\r\nscript finishes, the “coronavirus sucessfully installed” (not our typo) and “Your computer will restart in 5 seconds\r\nto finish the installation :)” is shown as well. While adding a smiley may be used to ease the pain of what’s to\r\ncome, it’s a little too much for our liking.\r\nThe contents of the coronavirus.bat script can be found below:\r\nIn addition to the persistence and disabling the UAC by modifying the EnableLUA registry key, the malware also\r\nprevents the user from starting the Task Manager, which will become “handy” in the next stage, because the user\r\nwill lose the ability to kill the malware process. However, the Task Manager is the only tool it disables, so using\r\ne.g. the Process Explorer would still be possible.\r\nThe coronavirus.bat script also changes the appearance of the user’s mouse cursor and changes the desktop\r\nwallpaper to black. It prevents the user from changing the wallpaper to any other image (unless the user changes\r\nthe registry entry back again).\r\nScreen showing coronavirus.bat was successfully installed\r\nFirst Reboot\r\nLet’s now focus on what the other scripts and binaries do after the first reboot.\r\nUpdate.vbs\r\nWe suspect the Update.vbs VisualBasic script is unfinished and will probably serve as an update mechanism for\r\nfuture versions of CoViper. Right now, the script only contains two lines of code, effectively doing nothing:\r\nhttps://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nPage 2 of 7\n\nIn other words, it waits two minutes and then displays a message which tells the user to contact their administrator\r\nor fix their internet connection. In fact, this only means that the update mechanism has not been implemented yet.\r\nrun.exe\r\nThe run.exe binary is an UPX packed file. Unpacking the file reveals that it is almost the same as the initial\r\nPureBasic installer we got our hands on. The difference is that the file doesn’t contain scripts and binaries that\r\nwere previously present in the binary and dropped onto the disk afterwards. Instead, it executes a run.bat script\r\nwhich performs several additional operations on the victims’ system.\r\nThe script ensures the malware’s persistence once again (the whole list of changed registry keys can be found at\r\nthe end of this blogspot in the IoC section). There is no difference between the persistence in this bat script and the\r\ncoronavirus.bat script, but there is a difference in the infinite run loop which repeatedly executes the\r\nmainWindow.exe binary every time it is closed by the user. As mentioned before, the user cannot use Task\r\nManager to kill this process, making it rather annoying.\r\nThe infinite run loop present in the run.bat script can be found below:\r\nmainWindow.exe\r\nmainWindow.exe is a binary written in VisualBasic. It has no apparent purpose other than to annoy the user. A\r\nwindow with an image of the (corona)virus is displayed. Also, two buttons are available to the user, “Help” and\r\n“Remove virus”. The help button displays a rather “helpful” text informing the user not to “WAST HIS TIME”\r\n(again the typo is included in the program) and that the computer is infected with the “coronavirus” and it cannot\r\nbe stopped. The “Remove virus” button’s functionality is not currently implemented. It is unclear at this stage\r\nwhether the malware will possibly become ransomware in the future, instructing the user to pay up by offering a\r\nlist of payment methods after clicking this button.\r\nhttps://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nPage 3 of 7\n\nmainWindow.exe: Help button is rather helpful\r\nend.exe\r\nWith such a characteristic name, it’s no surprise that “The End” is near and the malicious process is almost\r\nfinished. The end.exe is truly the last stage of CoViper and it holds the wiper’s core functionality. It is written in\r\nBorland Delphi.\r\nThe purpose of this process is to rewrite the infected computer’s MBR with the attacker’s own code. This results\r\nin a non-functional booting mechanism, leading to the inability to start the PC properly and boot the system.\r\nHowever, we found something interesting in the assembly. That is, before the MBR is replaced, its backup is\r\ncreated. This would indicate that some kind of a failsafe could be implemented further in the code.\r\nThe backup is written after the new MBR, i.e. starting at 0x200 byte offset. Furthermore, we can see that after\r\nthe backup, some interesting memory bytes (strings) are copied as well, at the 0x400 offset.\r\nThe result can be illustrated with this image:\r\nAn illustration of the MBR data structure, created by the malware\r\nInstead of a standard MBR, this code is inserted:\r\nhttps://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nPage 4 of 7\n\nDespite the code being short, it is enough to break the regular booting mechanism (a full MBR dump can be\r\ndownloaded here). This code also prints two strings on the screen (see picture below in the Second Reboot\r\nsection). As we suspected from the memory copy of strings above, the first string is the author’s credential\r\nsignature:\r\n“Created By Angel Castillo. Your Computer Has Been Trashed.”\r\nThe second is a Discord server where the victim can reach the author:\r\nDiscord: Windows Vista#3294\r\nAfter the execution of the end.exe , no other action is performed. The user is left helpless and the final act of the\r\ntragedy is the user’s final performance.\r\nSecond Reboot\r\nThe Task Manager is a “task managing” tool that most users are familiar with, and the victim most likely cannot\r\nclose the mainWindow.exe process without it. As we all know, the obvious solution for any IT problem is to turn\r\nthe device off and on again. This will, however, “kill” the victim’s computer, making it unusable, unless the victim\r\nis tech savvy and can reinstall the MBR.\r\nUpon restarting the PC, this message is displayed to the victim:\r\nA boot screen with the modified MBR\r\nThe Failsafe\r\nAfter further analysis of the MBR, we have good news! As we suspected, the author did in fact implement a\r\nfailsafe to the MBR code. We suppose this is implemented in case the malware author accidentally executed the\r\nmalware on their own PC and/or in case of a request for advice (on the aforementioned Discord server), for\r\nexample while demanding ransom. This is, however, only a speculation.\r\nhttps://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nPage 5 of 7\n\nFrom this MBR assembly, we can see that the program waits for an input. This expected input is in fact\r\nCTRL+ALT+ESC . After this key combination, the MBR is replaced with the original one (from the backup\r\nperformed by end.exe ) and the PC can be restarted and booted normally.\r\nKeep in mind that after the restart, the malware is executed once again (i.e. the end.exe binary). Thus, users\r\nshould at least first remove the autorun settings, so the whole scenario won’t repeat itself.\r\nFurther Investigation\r\nAs we could see in the previous image, the author of CoViper left a message for us. The aforementioned messages\r\nleave us a few clues — the author’s pseudonym and a Discord server that was still online at the time of writing.\r\nFurthermore, we would like to mention that while investigating CoViper, it is clear that this malware was actually\r\ngenerated by a custom tool publicly available on the Internet, for free. Because we have come to a conclusion that\r\nthe author of this tool is not actually the author of CoViper itself, we will not disclose his name. We will also not\r\ndisclose the tools’s name so that we don’t bring more attention to it. For further information regarding this topic\r\nand our investigation, you can contact us any time at @AvastThreatLabs on Twitter.\r\nIndicators of Compromise (IoC)\r\nhttps://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nPage 6 of 7\n\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nhttps://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/"
	],
	"report_names": [
		"coviper-locking-down-computers-during-lockdown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434726,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b01af5405962ca1993d987246880216a2ddcd940.pdf",
		"text": "https://archive.orkl.eu/b01af5405962ca1993d987246880216a2ddcd940.txt",
		"img": "https://archive.orkl.eu/b01af5405962ca1993d987246880216a2ddcd940.jpg"
	}
}