{
	"id": "03a89c79-231b-4899-b261-aab89cb839de",
	"created_at": "2026-04-06T00:09:11.561013Z",
	"updated_at": "2026-04-10T03:21:10.476619Z",
	"deleted_at": null,
	"sha1_hash": "bc3eccc11b37e8c2ca130f87a4c17f2166aa701d",
	"title": "The Shamoon Attacks | Symantec Connect Community",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 104858,
	"plain_text": "The Shamoon Attacks | Symantec Connect Community\r\nArchived: 2026-04-05 16:13:12 UTC\r\nW32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the\r\nenergy sector.  It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR\r\n(Master Boot Record) in an effort to render a computer unusable.\r\nW32.Disttrack consists of several components:\r\n1. Dropper—the main component and source of the original infection. It drops a number of other modules.\r\n2. Wiper—this module is responsible for the destructive functionality of the threat.\r\n3. Reporter—this module is responsible for reporting infection information back to the attacker.\r\nDropper Component\r\nThe Dropper component performs the following actions:\r\nCopies itself to %System%\\trksvr.exe\r\nDrops the following files embedded into resources:\r\nA 64-bit version of the dropper component: %System%\\trksrv.exe (contained in the “X509”\r\nresource)\r\nReporter component: %System%\\netinit.exe (contained in the \"PKCS7\" resource)\r\nWiper component: %System%\\[NAME SELECTED FROM LIST].exe (contained in the \"PKCS12\"\r\nresource)\r\nNote: The name of the component is selected from the following list:\r\ncaclsrv\r\ncertutl\r\nclean\r\nctrl\r\ndfrag\r\ndnslookup\r\ndvdquery\r\nevent\r\nextract\r\nfindfile\r\nfsutl\r\ngpget\r\niissrv\r\nipsecure\r\nmsinit\r\nntx\r\nhttps://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks\r\nPage 1 of 4\n\nntdsutl\r\nntfrsutil\r\nntnw\r\npower\r\nrdsadmin\r\nregsys\r\nrouteman\r\nrrasrv\r\nsacses\r\nsfmsc\r\nsigver\r\nsmbinit\r\nwcscript\r\nCopies itself to the following network shares:\r\nADMIN$\r\nC$\\\\WINDOWS\r\nD$\\\\WINDOWS\r\nE$\\\\WINDOWS\r\nCreates a task to execute itself\r\nCreates the following service to start itself whenever Windows starts:\r\nService name: TrkSvr\r\nDisplay name: Distributed Link Tracking Server\r\nImage path: %System%\\trksvr.exe\r\nWiper Component\r\nThe Wiper component includes the following functionality:\r\nDeletes an existing driver from the following location and overwrites it with another legitimate driver:\r\n%System%\\drivers\\drdisk.sys\r\nThe device driver is a clean disk driver that enables user-mode applications to read and write to disk\r\nsectors. The driver is used to overwrite the computer’s MBR but may be used for legitimate\r\npurposes.\r\nThe file is digitally signed\r\nExecutes the following commands that collect file names, which will be overwritten and writes them to\r\nf1.inf and f2.inf:\r\nhttps://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks\r\nPage 2 of 4\n\nFiles from the f1.inf and f2.inf will be overwritten with the JPEG image shown below. Overwritten files are\r\nthus rendered useless.\r\nFigure 1. Image used to overwrite files\r\nFinally, the component will overwrite the MBR so that the compromised computer can no longer start\r\nThe following string that points to the location of debug symbols was left in the Wiper component of this threat\r\nand gives an idea of where the component was located on the developer’s computer:\r\nhttps://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks\r\nPage 3 of 4\n\nC:\\Shamoon\\ArabianGulf\\wiper\\release\\wiper.pdb\r\nReporter Component\r\nThe Reporter component is responsible for sending infection information back to the attacker. Information is sent\r\nas a HTTP GET request and is structured as follows:\r\nhttp://[DOMAIN]/ajax_modal/modal/data.asp?mydata=[MYDATA]\u0026uid=[UID]\u0026state=[STATE]\r\nThe following data is sent to the attacker:\r\n[DOMAIN]—a domain name\r\n[MYDATA]—a number that specifies how many files were overwritten\r\n[UID]—the IP address of the compromised computer\r\n[STATE]—a random number\r\nThreats with such destructive payloads are unusual and are not typical of targeted attacks. Symantec Security\r\nResponse is continuing to analyze this threat and will post more information as it becomes available. Symantec\r\ncustomers are protected from this threat, which our security products detect as W32.Disttrack.\r\nSource: https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks\r\nhttps://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks"
	],
	"report_names": [
		"shamoon-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434151,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc3eccc11b37e8c2ca130f87a4c17f2166aa701d.pdf",
		"text": "https://archive.orkl.eu/bc3eccc11b37e8c2ca130f87a4c17f2166aa701d.txt",
		"img": "https://archive.orkl.eu/bc3eccc11b37e8c2ca130f87a4c17f2166aa701d.jpg"
	}
}