Security researchers are monitoring the spread of "Shamoon", a new piece of destructive malware first discovered last Thursday. This new worm, which is also known as Disttrack, affects all Windows 95, Windows 98, Windows XP, Windows 200, Windows Vista, Windows NT, Windows ME, Windows 7, Windows Server 2003 and Windows Server 2008.
It's unclear who is behind the attack but researchers suspect it's being used in targeted attacks against specific companies. The virus steals information and can overwrite the master boot record (MBR) to render PCs useless.
The malware consists of a 900KB folder that contains a number of "encrypted resources", according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware's components.
In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.