Analysis_of_the_Malware_Behind_FBI_Warnings.pdf (2 MB)

Trend Micro analyzed WIPALL destructive malware after an FBI warning to U.S. businesses following the Sony Pictures attack, detecting the main installer as `BKDR_WIPALL.A` / `diskpartmg16.exe`. The malware used XOR-encrypted credential lists to log into shared network resources, dropped `igfxtrayex.exe` as `BKDR_WIPALL.B`, stopped the Microsoft Exchange Information Store service, deleted files across fixed and network drives, launched `taskhost{random}` copies to drop `iissvr.exe` and `usbdrv32.sys`, and attempted to overwrite physical drives before forcing reboot. A later update described `BKDR_WIPALL.D` dropping `BKDR_WIPALL.C`, which placed a `walls.bmp` wallpaper bearing `hacked by #GOP`, matching reports from the Sony Pictures compromise. The article predates later public attribution and should be treated as malware-family analysis rather than a direct DPRK attribution claim.