It's unclear who is behind the attack but researchers suspect it's being used in targeted attacks against specific companies. The virus steals information and can overwrite the master boot record (MBR) to render PCs useless.
The malware consists of a 900KB folder that contains a number of "encrypted resources", according to Kaspersky Labs. One of these has a signed disk driver from EldoS, a corporate security component provider, which is used for raw disk access by the malware's components.Source: ZD Net
In an analysis, malware detection company Seculert concluded that Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware's command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.