As many of you would probably know several South Korean banks and local media organizations have been impacted by a critical cyber attack. The all victims did not boot anymore.

 

 

 

 

AegisLab has got the virus samples from crashing of computer network of major South Korean banks and TV Broadcasters. 

As the sample we got, the virus overwrites the system's MBR (Master Boot Record) with string "HASTATI".

 

 

The partition table was also destroied.

 

 

The virus include 3 jobs as following:

1. taskkill /F /IM pasvc.exe  => terminate %u300CAhnLab Policy Agent%u300D. (Top Anti-Virus software in South Korea)

2. taskkill /F /IM Clisvc.exe  => terminate%u300CViRobot%u300D(Famous Anti-Virus software in South Korea) 

3. shutdown -r -t 0  => reboot immediately  

 

Obviously, the attack was focus on South Korea.

 

After executing "shutdown -r -t 0" , the blue death screen appears ...

 

 

reboot and then...

 

 

For your internet security, we urge our anti-virus customer to keep signature up to date as possible.

by AegisLab